blob: c75acfa5ea954e8bd0de65d8c55a9362e86438b1 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
|
Puppet::Type.type(:selmodule).provide(:semodule) do
desc "Manage SELinux policy modules using the semodule binary."
commands :semodule => "/usr/sbin/semodule"
def create
begin
execoutput("#{command(:semodule)} --install #{selmod_name_to_filename}")
rescue Puppet::ExecutionFailure => detail
raise Puppet::Error, "Could not load policy module: %s" % [detail];
end
return :true
end
def destroy
begin
execoutput("#{command(:semodule)} --remove #{@resource[:name]}")
rescue Puppet::ExecutionFailure => detail
raise Puppet::Error, "Could not remove policy module: %s" % [detail];
end
end
def exists?
self.debug "Checking for module #{@resource[:name]}"
execpipe("#{command(:semodule)} --list") do |out|
out.each do |line|
if line =~ /#{@resource[:name]}\b/
return :true
end
end
end
return nil
end
def syncversion
self.debug "Checking syncversion on #{@resource[:name]}"
loadver = selmodversion_loaded
if(loadver) then
filever = selmodversion_file
if (filever == loadver) then
return :true
end
end
return :false
end
def syncversion= (dosync)
begin
execoutput("#{command(:semodule)} --upgrade #{selmod_name_to_filename}")
rescue Puppet::ExecutionFailure => detail
raise Puppet::Error, "Could not upgrade policy module: %s" % [detail];
end
end
# Helper functions
def execoutput (cmd)
output = ''
begin
execpipe(cmd) do |out|
output = out.readlines.join('').chomp!
end
rescue Puppet::ExecutionFailure
raise Puppet::ExecutionFailure, output.split("\n")[0]
end
return output
end
def selmod_name_to_filename
if @resource[:selmodulepath]
return @resource[:selmodulepath]
else
return "#{@resource[:selmoduledir]}/#{@resource[:name]}.pp"
end
end
def selmod_readnext (handle)
len = handle.read(4).unpack('L')[0]
return handle.read(len)
end
def selmodversion_file
magic = 0xF97CFF8F
filename = selmod_name_to_filename
mod = File.new(filename, "r")
(hdr, ver, numsec) = mod.read(12).unpack('LLL')
if hdr != magic
raise Puppet::Error, "Found #{hdr} instead of magic #{magic} in #{filename}"
end
if ver != 1
raise Puppet::Error, "Unknown policy file version #{ver} in #{filename}"
end
# Read through (and throw away) the file section offsets, and also
# the magic header for the first section.
mod.read((numsec + 1) * 4)
## Section 1 should be "SE Linux Module"
selmod_readnext(mod)
selmod_readnext(mod)
# Skip past the section headers
mod.read(14)
# Module name
selmod_readnext(mod)
# At last! the version
v = selmod_readnext(mod)
self.debug "file version #{v}"
return v
end
def selmodversion_loaded
lines = ()
begin
execpipe("#{command(:semodule)} --list") do |output|
lines = output.readlines
lines.each do |line|
line.chomp!
bits = line.split
if bits[0] == @resource[:name] then
self.debug "load version #{bits[1]}"
return bits[1]
end
end
end
rescue Puppet::ExecutionFailure
raise Puppet::ExecutionFailure, "Could not list policy modules: %s" % [lines.join(' ').chomp!]
end
return nil
end
end
|