cmueller/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

made special treatment of certain filesystem for selinux configurable

Browse source
This commit is contained in:
Brian Coca 2015-05-14 10:50:22 -04:00
parent 2e31a67532
commit 0913b8263c
5 changed files with 31 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
examples/ansible.cfg
View file

@ -223,3 +223,8 @@ accelerate_daemon_timeout = 30
# is "no". # is "no".
#accelerate_multi_key = yes #accelerate_multi_key = yes
[selinux]
# file systems that require special treatment when dealing with security context
# the default behaviour that copies the existing context or uses the user default
# needs to be changed to use the file system dependant context.
#special_context_filesystems=nfs,vboxsf,fuse

5
lib/ansible/constants.py
View file

@ -142,7 +142,10 @@ DEFAULT_SU_FLAGS = get_config(p, DEFAULTS, 'su_flags', 'ANSIBLE_SU_FLAG
DEFAULT_SU_USER = get_config(p, DEFAULTS, 'su_user', 'ANSIBLE_SU_USER', 'root') DEFAULT_SU_USER = get_config(p, DEFAULTS, 'su_user', 'ANSIBLE_SU_USER', 'root')
DEFAULT_ASK_SU_PASS = get_config(p, DEFAULTS, 'ask_su_pass', 'ANSIBLE_ASK_SU_PASS', False, boolean=True) DEFAULT_ASK_SU_PASS = get_config(p, DEFAULTS, 'ask_su_pass', 'ANSIBLE_ASK_SU_PASS', False, boolean=True)
DEFAULT_GATHERING = get_config(p, DEFAULTS, 'gathering', 'ANSIBLE_GATHERING', 'implicit').lower() DEFAULT_GATHERING = get_config(p, DEFAULTS, 'gathering', 'ANSIBLE_GATHERING', 'implicit').lower()
DEFAULT_LOG_PATH = shell_expand_path(get_config(p, DEFAULTS, 'log_path', 'ANSIBLE_LOG_PATH', '')) DEFAULT_LOG_PATH = shell_expand_path(get_config(p, DEFAULTS, 'log_path', 'ANSIBLE_LOG_PATH', ''))
# selinux
DEFAULT_SELINUX_SPECIAL_FS = get_config(p, 'selinux', 'special_context_filesystems', None, 'fuse, nfs, vboxsf', islist=True)
#TODO: get rid of ternary chain mess #TODO: get rid of ternary chain mess
BECOME_METHODS = ['sudo','su','pbrun','pfexec','runas'] BECOME_METHODS = ['sudo','su','pbrun','pfexec','runas']

24
lib/ansible/module_utils/basic.py
View file

@ -38,6 +38,8 @@ BOOLEANS_TRUE = ['yes', 'on', '1', 'true', 1]
BOOLEANS_FALSE = ['no', 'off', '0', 'false', 0] BOOLEANS_FALSE = ['no', 'off', '0', 'false', 0]
BOOLEANS = BOOLEANS_TRUE + BOOLEANS_FALSE BOOLEANS = BOOLEANS_TRUE + BOOLEANS_FALSE
SELINUX_SPECIAL_FS="<<SELINUX_SPECIAL_FILESYSTEMS>>"
# ansible modules can be written in any language. To simplify # ansible modules can be written in any language. To simplify
# development of Python modules, the functions available here # development of Python modules, the functions available here
# can be inserted in any module source automatically by including # can be inserted in any module source automatically by including
@ -529,10 +531,10 @@ class AnsibleModule(object):
path = os.path.dirname(path) path = os.path.dirname(path)
return path return path
def is_nfs_path(self, path): def is_special_selinux_path(self, path):
""" """
Returns a tuple containing (True, selinux_context) if the given path Returns a tuple containing (True, selinux_context) if the given path is on a
is on a NFS mount point, otherwise the return will be (False, None). NFS or other 'special' fs mount point, otherwise the return will be (False, None).
""" """
try: try:
f = open('/proc/mounts', 'r') f = open('/proc/mounts', 'r')
@ -543,9 +545,13 @@ class AnsibleModule(object):
path_mount_point = self.find_mount_point(path) path_mount_point = self.find_mount_point(path)
for line in mount_data: for line in mount_data:
(device, mount_point, fstype, options, rest) = line.split(' ', 4) (device, mount_point, fstype, options, rest) = line.split(' ', 4)
if path_mount_point == mount_point and 'nfs' in fstype:
nfs_context = self.selinux_context(path_mount_point) if path_mount_point == mount_point:
return (True, nfs_context) for fs in SELINUX_SPECIAL_FS.split(','):
if fs in fstype:
special_context = self.selinux_context(path_mount_point)
return (True, special_context)
return (False, None) return (False, None)
def set_default_selinux_context(self, path, changed): def set_default_selinux_context(self, path, changed):
@ -563,9 +569,9 @@ class AnsibleModule(object):
# Iterate over the current context instead of the # Iterate over the current context instead of the
# argument context, which may have selevel. # argument context, which may have selevel.
(is_nfs, nfs_context) = self.is_nfs_path(path) (is_special_se, sp_context) = self.is_special_selinux_path(path)
if is_nfs: if is_special_se:
new_context = nfs_context new_context = sp_context
else: else:
for i in range(len(cur_context)): for i in range(len(cur_context)):
if len(context) > i: if len(context) > i:

3
v1/ansible/module_common.py
View file

@ -33,6 +33,8 @@ REPLACER_ARGS = "\"<<INCLUDE_ANSIBLE_MODULE_ARGS>>\""
REPLACER_COMPLEX = "\"<<INCLUDE_ANSIBLE_MODULE_COMPLEX_ARGS>>\"" REPLACER_COMPLEX = "\"<<INCLUDE_ANSIBLE_MODULE_COMPLEX_ARGS>>\""
REPLACER_WINDOWS = "# POWERSHELL_COMMON" REPLACER_WINDOWS = "# POWERSHELL_COMMON"
REPLACER_VERSION = "\"<<ANSIBLE_VERSION>>\"" REPLACER_VERSION = "\"<<ANSIBLE_VERSION>>\""
REPLACER_SELINUX = "<<SELINUX_SPECIAL_FILESYSTEMS>>"
class ModuleReplacer(object): class ModuleReplacer(object):
@ -167,6 +169,7 @@ class ModuleReplacer(object):
# these strings should be part of the 'basic' snippet which is required to be included # these strings should be part of the 'basic' snippet which is required to be included
module_data = module_data.replace(REPLACER_VERSION, repr(__version__)) module_data = module_data.replace(REPLACER_VERSION, repr(__version__))
module_data = module_data.replace(REPLACER_SELINUX, ','.join(C.DEFAULT_SELINUX_SPECIAL_FS))
module_data = module_data.replace(REPLACER_ARGS, encoded_args) module_data = module_data.replace(REPLACER_ARGS, encoded_args)
module_data = module_data.replace(REPLACER_COMPLEX, encoded_complex) module_data = module_data.replace(REPLACER_COMPLEX, encoded_complex)