made special treatment of certain filesystem for selinux configurable

This commit is contained in:
Brian Coca 2015-05-14 10:50:22 -04:00
parent 2e31a67532
commit 0913b8263c
5 changed files with 31 additions and 14 deletions

View file

@ -223,3 +223,8 @@ accelerate_daemon_timeout = 30
# is "no". # is "no".
#accelerate_multi_key = yes #accelerate_multi_key = yes
[selinux]
# file systems that require special treatment when dealing with security context
# the default behaviour that copies the existing context or uses the user default
# needs to be changed to use the file system dependant context.
#special_context_filesystems=nfs,vboxsf,fuse

View file

@ -142,7 +142,10 @@ DEFAULT_SU_FLAGS = get_config(p, DEFAULTS, 'su_flags', 'ANSIBLE_SU_FLAG
DEFAULT_SU_USER = get_config(p, DEFAULTS, 'su_user', 'ANSIBLE_SU_USER', 'root') DEFAULT_SU_USER = get_config(p, DEFAULTS, 'su_user', 'ANSIBLE_SU_USER', 'root')
DEFAULT_ASK_SU_PASS = get_config(p, DEFAULTS, 'ask_su_pass', 'ANSIBLE_ASK_SU_PASS', False, boolean=True) DEFAULT_ASK_SU_PASS = get_config(p, DEFAULTS, 'ask_su_pass', 'ANSIBLE_ASK_SU_PASS', False, boolean=True)
DEFAULT_GATHERING = get_config(p, DEFAULTS, 'gathering', 'ANSIBLE_GATHERING', 'implicit').lower() DEFAULT_GATHERING = get_config(p, DEFAULTS, 'gathering', 'ANSIBLE_GATHERING', 'implicit').lower()
DEFAULT_LOG_PATH = shell_expand_path(get_config(p, DEFAULTS, 'log_path', 'ANSIBLE_LOG_PATH', '')) DEFAULT_LOG_PATH = shell_expand_path(get_config(p, DEFAULTS, 'log_path', 'ANSIBLE_LOG_PATH', ''))
# selinux
DEFAULT_SELINUX_SPECIAL_FS = get_config(p, 'selinux', 'special_context_filesystems', None, 'fuse, nfs, vboxsf', islist=True)
#TODO: get rid of ternary chain mess #TODO: get rid of ternary chain mess
BECOME_METHODS = ['sudo','su','pbrun','pfexec','runas'] BECOME_METHODS = ['sudo','su','pbrun','pfexec','runas']

View file

@ -61,7 +61,7 @@ class Inventory(object):
self._vars_per_host = {} self._vars_per_host = {}
self._vars_per_group = {} self._vars_per_group = {}
self._hosts_cache = {} self._hosts_cache = {}
self._groups_list = {} self._groups_list = {}
self._pattern_cache = {} self._pattern_cache = {}
# to be set by calling set_playbook_basedir by playbook code # to be set by calling set_playbook_basedir by playbook code

View file

@ -38,6 +38,8 @@ BOOLEANS_TRUE = ['yes', 'on', '1', 'true', 1]
BOOLEANS_FALSE = ['no', 'off', '0', 'false', 0] BOOLEANS_FALSE = ['no', 'off', '0', 'false', 0]
BOOLEANS = BOOLEANS_TRUE + BOOLEANS_FALSE BOOLEANS = BOOLEANS_TRUE + BOOLEANS_FALSE
SELINUX_SPECIAL_FS="<<SELINUX_SPECIAL_FILESYSTEMS>>"
# ansible modules can be written in any language. To simplify # ansible modules can be written in any language. To simplify
# development of Python modules, the functions available here # development of Python modules, the functions available here
# can be inserted in any module source automatically by including # can be inserted in any module source automatically by including
@ -529,10 +531,10 @@ class AnsibleModule(object):
path = os.path.dirname(path) path = os.path.dirname(path)
return path return path
def is_nfs_path(self, path): def is_special_selinux_path(self, path):
""" """
Returns a tuple containing (True, selinux_context) if the given path Returns a tuple containing (True, selinux_context) if the given path is on a
is on a NFS mount point, otherwise the return will be (False, None). NFS or other 'special' fs mount point, otherwise the return will be (False, None).
""" """
try: try:
f = open('/proc/mounts', 'r') f = open('/proc/mounts', 'r')
@ -543,9 +545,13 @@ class AnsibleModule(object):
path_mount_point = self.find_mount_point(path) path_mount_point = self.find_mount_point(path)
for line in mount_data: for line in mount_data:
(device, mount_point, fstype, options, rest) = line.split(' ', 4) (device, mount_point, fstype, options, rest) = line.split(' ', 4)
if path_mount_point == mount_point and 'nfs' in fstype:
nfs_context = self.selinux_context(path_mount_point) if path_mount_point == mount_point:
return (True, nfs_context) for fs in SELINUX_SPECIAL_FS.split(','):
if fs in fstype:
special_context = self.selinux_context(path_mount_point)
return (True, special_context)
return (False, None) return (False, None)
def set_default_selinux_context(self, path, changed): def set_default_selinux_context(self, path, changed):
@ -563,9 +569,9 @@ class AnsibleModule(object):
# Iterate over the current context instead of the # Iterate over the current context instead of the
# argument context, which may have selevel. # argument context, which may have selevel.
(is_nfs, nfs_context) = self.is_nfs_path(path) (is_special_se, sp_context) = self.is_special_selinux_path(path)
if is_nfs: if is_special_se:
new_context = nfs_context new_context = sp_context
else: else:
for i in range(len(cur_context)): for i in range(len(cur_context)):
if len(context) > i: if len(context) > i:

View file

@ -33,6 +33,8 @@ REPLACER_ARGS = "\"<<INCLUDE_ANSIBLE_MODULE_ARGS>>\""
REPLACER_COMPLEX = "\"<<INCLUDE_ANSIBLE_MODULE_COMPLEX_ARGS>>\"" REPLACER_COMPLEX = "\"<<INCLUDE_ANSIBLE_MODULE_COMPLEX_ARGS>>\""
REPLACER_WINDOWS = "# POWERSHELL_COMMON" REPLACER_WINDOWS = "# POWERSHELL_COMMON"
REPLACER_VERSION = "\"<<ANSIBLE_VERSION>>\"" REPLACER_VERSION = "\"<<ANSIBLE_VERSION>>\""
REPLACER_SELINUX = "<<SELINUX_SPECIAL_FILESYSTEMS>>"
class ModuleReplacer(object): class ModuleReplacer(object):
@ -41,14 +43,14 @@ class ModuleReplacer(object):
transfer. Rather than doing classical python imports, this allows for more transfer. Rather than doing classical python imports, this allows for more
efficient transfer in a no-bootstrapping scenario by not moving extra files efficient transfer in a no-bootstrapping scenario by not moving extra files
over the wire, and also takes care of embedding arguments in the transferred over the wire, and also takes care of embedding arguments in the transferred
modules. modules.
This version is done in such a way that local imports can still be This version is done in such a way that local imports can still be
used in the module code, so IDEs don't have to be aware of what is going on. used in the module code, so IDEs don't have to be aware of what is going on.
Example: Example:
from ansible.module_utils.basic import * from ansible.module_utils.basic import *
... will result in the insertion basic.py into the module ... will result in the insertion basic.py into the module
@ -94,7 +96,7 @@ class ModuleReplacer(object):
module_style = 'new' module_style = 'new'
elif 'WANT_JSON' in module_data: elif 'WANT_JSON' in module_data:
module_style = 'non_native_want_json' module_style = 'non_native_want_json'
output = StringIO() output = StringIO()
lines = module_data.split('\n') lines = module_data.split('\n')
snippet_names = [] snippet_names = []
@ -167,6 +169,7 @@ class ModuleReplacer(object):
# these strings should be part of the 'basic' snippet which is required to be included # these strings should be part of the 'basic' snippet which is required to be included
module_data = module_data.replace(REPLACER_VERSION, repr(__version__)) module_data = module_data.replace(REPLACER_VERSION, repr(__version__))
module_data = module_data.replace(REPLACER_SELINUX, ','.join(C.DEFAULT_SELINUX_SPECIAL_FS))
module_data = module_data.replace(REPLACER_ARGS, encoded_args) module_data = module_data.replace(REPLACER_ARGS, encoded_args)
module_data = module_data.replace(REPLACER_COMPLEX, encoded_complex) module_data = module_data.replace(REPLACER_COMPLEX, encoded_complex)