diff options
| author | Sean E. Millichamp <sean@bruenor.org> | 2008-11-13 16:54:50 -0500 |
|---|---|---|
| committer | James Turnbull <james@lovedthanlost.net> | 2008-11-14 09:52:19 +1100 |
| commit | cebadd9296ad9193f583f698ec77f0fc99ae6fc9 (patch) | |
| tree | 99ea357263b9e010e4c8f30ae501f5629f39cceb /lib | |
| parent | 60455e708cbf3069a64ed4a0af6ce457c65c684e (diff) | |
| download | puppet-cebadd9296ad9193f583f698ec77f0fc99ae6fc9.tar.gz puppet-cebadd9296ad9193f583f698ec77f0fc99ae6fc9.tar.xz puppet-cebadd9296ad9193f583f698ec77f0fc99ae6fc9.zip | |
Fix bug #1681: Add filesystem type check to test for per-file SELinux context support
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/puppet/util/selinux.rb | 64 |
1 files changed, 64 insertions, 0 deletions
diff --git a/lib/puppet/util/selinux.rb b/lib/puppet/util/selinux.rb index 0df137370..70f244507 100644 --- a/lib/puppet/util/selinux.rb +++ b/lib/puppet/util/selinux.rb @@ -44,6 +44,11 @@ module Puppet::Util::SELinux unless selinux_support? return nil end + # If the filesystem has no support for SELinux labels, return a default of nil + # instead of what matchpathcon would return + unless selinux_label_support?(file) + return nil + end # If the file exists we should pass the mode to matchpathcon for the most specific # matching. If not, we can pass a mode of 0. begin @@ -144,4 +149,63 @@ module Puppet::Util::SELinux end return nil end + + # Internal helper function to read and parse /proc/mounts + def read_mounts + begin + mounts = File.read("/proc/mounts") + rescue + return nil + end + + mntpoint = {} + + # Read all entries in /proc/mounts. The second column is the + # mountpoint and the third column is the filesystem type. + # We skip rootfs because it is always mounted at / + mounts.collect do |line| + params = line.split(' ') + next if params[2] == 'rootfs' + mntpoint[params[1]] = params[2] + end + return mntpoint + end + + # Internal helper function to return which type of filesystem a + # given file path resides on + def find_fs(file) + unless mnts = read_mounts() + return nil + end + + # For a given file: + # Check if the filename is in the data structure; + # return the fstype if it is. + # Just in case: return something if you're down to "/" or "" + # Remove the last slash and everything after it, + # and repeat with that as the file for the next loop through. + ary = file.split('/') + while not ary.empty? do + path = ary.join('/') + if mnts.has_key?(path) + return mnts[path] + end + ary.pop + end + return mnts['/'] + end + + # Check filesystem a path resides on for SELinux support against + # whitelist of known-good filesystems. + # Returns true if the filesystem can support SELinux labels and + # false if not. + def selinux_label_support?(file) + fstype = find_fs(file) + if fstype.nil? + return false + end + filesystems = ['ext2', 'ext3', 'ext4', 'gfs', 'gfs2', 'xfs', 'jfs'] + return filesystems.include?(fstype) + end + end |