This adjusts behavior of file module such that removal of se* option
does not revert the file's selinux context to the default. In order to
go back to the default context according to the policy, you can use the
context=default option.
... | ... |
@@ -72,6 +72,21 @@ def add_path_info(kwargs): |
72 | 72 |
kwargs['state'] = 'absent' |
73 | 73 |
return kwargs |
74 | 74 |
|
75 |
+# If selinux fails to find a default, return an array of None |
|
76 |
+def selinux_default_context(path, mode=0): |
|
77 |
+ context = [None, None, None, None] |
|
78 |
+ if not HAVE_SELINUX: |
|
79 |
+ return context |
|
80 |
+ try: |
|
81 |
+ ret = selinux.matchpathcon(path, mode) |
|
82 |
+ except OSError: |
|
83 |
+ return context |
|
84 |
+ if ret[0] == -1: |
|
85 |
+ return context |
|
86 |
+ context = ret[1].split(':') |
|
87 |
+ debug("got default secontext=%s" % ret[1]) |
|
88 |
+ return context |
|
89 |
+ |
|
75 | 90 |
# =========================================== |
76 | 91 |
|
77 | 92 |
argfile = sys.argv[1] |
... | ... |
@@ -107,8 +122,16 @@ seuser = params.get('seuser', None) |
107 | 107 |
serole = params.get('serole', None) |
108 | 108 |
setype = params.get('setype', None) |
109 | 109 |
selevel = params.get('serange', 's0') |
110 |
+context = params.get('context', None) |
|
110 | 111 |
secontext = [seuser, serole, setype, selevel] |
111 | 112 |
|
113 |
+if context is not None: |
|
114 |
+ if context != 'default': |
|
115 |
+ fail_json(msg='invalid context: %s' % context) |
|
116 |
+ if seuser is not None or serole is not None or setype is not None: |
|
117 |
+ fail_json(msg='cannot define context=default and seuser, serole or setype') |
|
118 |
+ secontext = selinux_default_context(path) |
|
119 |
+ |
|
112 | 120 |
if state not in [ 'file', 'directory', 'link', 'absent']: |
113 | 121 |
fail_json(msg='invalid state: %s' % state) |
114 | 122 |
|
... | ... |
@@ -148,34 +171,14 @@ def selinux_context(path): |
148 | 148 |
debug("got current secontext=%s" % ret[1]) |
149 | 149 |
return context |
150 | 150 |
|
151 |
-# If selinux fails to find a default, return an array of None |
|
152 |
-def selinux_default_context(path, mode=0): |
|
153 |
- context = [None, None, None, None] |
|
154 |
- print >>sys.stderr, path |
|
155 |
- if not HAVE_SELINUX: |
|
156 |
- return context |
|
157 |
- try: |
|
158 |
- ret = selinux.matchpathcon(path, mode) |
|
159 |
- except OSError: |
|
160 |
- return context |
|
161 |
- if ret[0] == -1: |
|
162 |
- return context |
|
163 |
- context = ret[1].split(':') |
|
164 |
- debug("got default secontext=%s" % ret[1]) |
|
165 |
- return context |
|
166 |
- |
|
167 | 151 |
def set_context_if_different(path, context, changed): |
168 | 152 |
if not HAVE_SELINUX: |
169 | 153 |
return changed |
170 | 154 |
cur_context = selinux_context(path) |
171 |
- new_context = selinux_default_context(path) |
|
155 |
+ new_context = list(cur_context) |
|
172 | 156 |
for i in range(len(context)): |
173 | 157 |
if context[i] is not None and context[i] != cur_context[i]: |
174 |
- debug('new context was %s' % new_context[i]) |
|
175 | 158 |
new_context[i] = context[i] |
176 |
- debug('new context is %s' % new_context[i]) |
|
177 |
- elif new_context[i] is None: |
|
178 |
- new_context[i] = cur_context[i] |
|
179 | 159 |
debug("current secontext is %s" % ':'.join(cur_context)) |
180 | 160 |
debug("new secontext is %s" % ':'.join(new_context)) |
181 | 161 |
if cur_context != new_context: |