1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
|
# Manage SELinux context of files.
#
# This code actually manages three pieces of data in the context.
#
# [root@delenn files]# ls -dZ /
# drwxr-xr-x root root system_u:object_r:root_t /
#
# The context of '/' here is 'system_u:object_r:root_t'. This is
# three seperate fields:
#
# system_u is the user context
# object_r is the role context
# root_t is the type context
#
# All three of these fields are returned in a single string by the
# output of the stat command, but set individually with the chcon
# command. This allows the user to specify a subset of the three
# values while leaving the others alone.
#
# See http://www.nsa.gov/selinux/ for complete docs on SELinux.
module Puppet
require 'puppet/util/selinux'
class SELFileContext < Puppet::Property
include Puppet::Util::SELinux
def retrieve
return :absent unless @resource.stat(false)
context = self.get_selinux_current_context(@resource[:path])
return parse_selinux_context(name, context)
end
def retrieve_default_context(property)
unless context = self.get_selinux_default_context(@resource[:path])
return nil
end
property_default = self.parse_selinux_context(property, context)
self.debug "Found #{property} default '#{property_default}' for #{@resource[:path]}" if not property_default.nil?
return property_default
end
def insync?(value)
if not selinux_support?
debug("SELinux bindings not found. Ignoring parameter.")
return true
end
super
end
def sync
self.set_selinux_context(@resource[:path], @should, name)
return :file_changed
end
end
Puppet::Type.type(:file).newproperty(:seluser, :parent => Puppet::SELFileContext) do
desc "What the SELinux user component of the context of the file should be.
Any valid SELinux user component is accepted. For example ``user_u``.
If not specified it defaults to the value returned by matchpathcon for
the file, if any exists. Only valid on systems with SELinux support
enabled."
@event = :file_changed
defaultto { self.retrieve_default_context(:seluser) }
end
Puppet::Type.type(:file).newproperty(:selrole, :parent => Puppet::SELFileContext) do
desc "What the SELinux role component of the context of the file should be.
Any valid SELinux role component is accepted. For example ``role_r``.
If not specified it defaults to the value returned by matchpathcon for
the file, if any exists. Only valid on systems with SELinux support
enabled."
@event = :file_changed
defaultto { self.retrieve_default_context(:selrole) }
end
Puppet::Type.type(:file).newproperty(:seltype, :parent => Puppet::SELFileContext) do
desc "What the SELinux type component of the context of the file should be.
Any valid SELinux type component is accepted. For example ``tmp_t``.
If not specified it defaults to the value returned by matchpathcon for
the file, if any exists. Only valid on systems with SELinux support
enabled."
@event = :file_changed
defaultto { self.retrieve_default_context(:seltype) }
end
Puppet::Type.type(:file).newproperty(:selrange, :parent => Puppet::SELFileContext) do
desc "What the SELinux range component of the context of the file should be.
Any valid SELinux range component is accepted. For example ``s0`` or
``SystemHigh``. If not specified it defaults to the value returned by
matchpathcon for the file, if any exists. Only valid on systems with
SELinux support enabled and that have support for MCS (Multi-Category
Security)."
@event = :file_changed
defaultto { self.retrieve_default_context(:selrange) }
end
end
|
