Skip to content

Commit

Permalink
Merge pull request puppetlabs#9390 from AriaXLi/revert_selinux_matchp…
Browse files Browse the repository at this point in the history
…athcon

Revert "Merge pull request puppetlabs#9349 from AriaXLi/PUP-7126"
  • Loading branch information
AriaXLi authored Jun 10, 2024
2 parents 7927dcf + f6ee08a commit 2417766
Show file tree
Hide file tree
Showing 6 changed files with 20 additions and 82 deletions.
18 changes: 2 additions & 16 deletions lib/puppet/provider/file/posix.rb
Original file line number Diff line number Diff line change
Expand Up @@ -12,22 +12,8 @@
require 'etc'
require_relative '../../../puppet/util/selinux'

class << self
def selinux_handle
return nil unless Puppet::Util::SELinux.selinux_support?

# selabel_open takes 3 args: backend, options, and nopt. The backend param
# is a constant, SELABEL_CTX_FILE, which happens to be 0. Since options is
# nil, nopt can be 0 since nopt represents the # of options specified.
@selinux_handle ||= Selinux.selabel_open(Selinux::SELABEL_CTX_FILE, nil, 0)
end

def post_resource_eval
if @selinux_handle
Selinux.selabel_close(@selinux_handle)
@selinux_handle = nil
end
end
def self.post_resource_eval
Selinux.matchpathcon_fini if Puppet::Util::SELinux.selinux_support?
end

def uid2name(id)
Expand Down
13 changes: 6 additions & 7 deletions lib/puppet/type/file/selcontext.rb
Original file line number Diff line number Diff line change
Expand Up @@ -40,12 +40,11 @@ def retrieve
end

def retrieve_default_context(property)
return nil if Puppet::Util::Platform.windows?
if @resource[:selinux_ignore_defaults] == :true
return nil
end

context = get_selinux_default_context_with_handle(@resource[:path], provider.class.selinux_handle)
context = get_selinux_default_context(@resource[:path], @resource[:ensure])
unless context
return nil
end
Expand Down Expand Up @@ -86,7 +85,7 @@ def sync
end

Puppet::Type.type(:file).newparam(:selinux_ignore_defaults) do
desc "If this is set then Puppet will not ask SELinux (via selabel_lookup) to
desc "If this is set then Puppet will not ask SELinux (via matchpathcon) to
supply defaults for the SELinux attributes (seluser, selrole,
seltype, and selrange). In general, you should leave this set at its
default and only set it to true when you need Puppet to not try to fix
Expand All @@ -99,7 +98,7 @@ def sync
Puppet::Type.type(:file).newproperty(:seluser, :parent => Puppet::SELFileContext) do
desc "What the SELinux user component of the context of the file should be.
Any valid SELinux user component is accepted. For example `user_u`.
If not specified it defaults to the value returned by selabel_lookup for
If not specified it defaults to the value returned by matchpathcon for
the file, if any exists. Only valid on systems with SELinux support
enabled."

Expand All @@ -110,7 +109,7 @@ def sync
Puppet::Type.type(:file).newproperty(:selrole, :parent => Puppet::SELFileContext) do
desc "What the SELinux role component of the context of the file should be.
Any valid SELinux role component is accepted. For example `role_r`.
If not specified it defaults to the value returned by selabel_lookup for
If not specified it defaults to the value returned by matchpathcon for
the file, if any exists. Only valid on systems with SELinux support
enabled."

Expand All @@ -121,7 +120,7 @@ def sync
Puppet::Type.type(:file).newproperty(:seltype, :parent => Puppet::SELFileContext) do
desc "What the SELinux type component of the context of the file should be.
Any valid SELinux type component is accepted. For example `tmp_t`.
If not specified it defaults to the value returned by selabel_lookup for
If not specified it defaults to the value returned by matchpathcon for
the file, if any exists. Only valid on systems with SELinux support
enabled."

Expand All @@ -133,7 +132,7 @@ def sync
desc "What the SELinux range component of the context of the file should be.
Any valid SELinux range component is accepted. For example `s0` or
`SystemHigh`. If not specified it defaults to the value returned by
selabel_lookup for the file, if any exists. Only valid on systems with
matchpathcon for the file, if any exists. Only valid on systems with
SELinux support enabled and that have support for MCS (Multi-Category
Security)."

Expand Down
18 changes: 4 additions & 14 deletions lib/puppet/util/selinux.rb
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,6 @@ def get_selinux_current_context(file)

# Retrieve and return the default context of the file. If we don't have
# SELinux support or if the SELinux call fails to file a default then return nil.
# @deprecated matchpathcon is a deprecated method, selabel_lookup is preferred
def get_selinux_default_context(file, resource_ensure = nil)
return nil unless selinux_support?
# If the filesystem has no support for SELinux labels, return a default of nil
Expand All @@ -69,20 +68,11 @@ def get_selinux_default_context(file, resource_ensure = nil)
end

retval = Selinux.matchpathcon(file, mode)
retval == -1 ? nil : retval[1]
end

def get_selinux_default_context_with_handle(file, handle)
return nil unless selinux_support?
# If the filesystem has no support for SELinux labels, return a default of nil
# instead of what selabel_lookup would return
return nil unless selinux_label_support?(file)

# Handle is needed for selabel_lookup
raise ArgumentError, _("Cannot get default context with nil handle") unless handle
if retval == -1
return nil
end

retval = Selinux.selabel_lookup(handle, file, 0)
retval == -1 ? nil : retval[1]
retval[1]
end

# Take the full SELinux context returned from the tools and parse it
Expand Down
10 changes: 5 additions & 5 deletions spec/unit/transaction_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -758,15 +758,15 @@ def post_resource_eval
transaction.evaluate
end

it "should call Selinux.selabel_close in case Selinux is enabled", :if => Puppet.features.posix? do
handle = double('selinux_handle')
selinux = class_double('selinux', is_selinux_enabled: 1, selabel_close: nil, selabel_open: handle, selabel_lookup: -1)
it "should call Selinux.matchpathcon_fini in case Selinux is enabled ", :if => Puppet.features.posix? do
selinux = double('selinux', is_selinux_enabled: true, matchpathcon_fini: nil)
stub_const('Selinux', selinux)
stub_const('Selinux::SELABEL_CTX_FILE', 0)

resource = Puppet::Type.type(:file).new(:path => make_absolute("/tmp/foo"))
transaction = transaction_with_resource(resource)

expect(Selinux).to receive(:selabel_close).with(handle)
expect(Selinux).to receive(:matchpathcon_fini)
expect(Puppet::Util::SELinux).to receive(:selinux_support?).and_return(true)

transaction.evaluate
end
Expand Down
14 changes: 3 additions & 11 deletions spec/unit/type/file/selinux_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -50,16 +50,13 @@
end

it "should handle no default gracefully" do
skip if Puppet::Util::Platform.windows?
expect(@sel).to receive(:get_selinux_default_context_with_handle).with(@path, nil).and_return(nil)
expect(@sel).to receive(:get_selinux_default_context).with(@path, :file).and_return(nil)
expect(@sel.default).to be_nil
end

it "should be able to detect default context on platforms other than Windows", unless: Puppet::Util::Platform.windows? do
it "should be able to detect matchpathcon defaults" do
allow(@sel).to receive(:debug)
hnd = double("SWIG::TYPE_p_selabel_handle")
allow(@sel.provider.class).to receive(:selinux_handle).and_return(hnd)
expect(@sel).to receive(:get_selinux_default_context_with_handle).with(@path, hnd).and_return("user_u:role_r:type_t:s0")
expect(@sel).to receive(:get_selinux_default_context).with(@path, :file).and_return("user_u:role_r:type_t:s0")
expectedresult = case param
when :seluser; "user_u"
when :selrole; "role_r"
Expand All @@ -69,11 +66,6 @@
expect(@sel.default).to eq(expectedresult)
end

it "returns nil default context on Windows", if: Puppet::Util::Platform.windows? do
expect(@sel).to receive(:retrieve_default_context)
expect(@sel.default).to be_nil
end

it "should return nil for defaults if selinux_ignore_defaults is true" do
@resource[:selinux_ignore_defaults] = :true
expect(@sel.default).to be_nil
Expand Down
29 changes: 0 additions & 29 deletions spec/unit/util/selinux_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -241,35 +241,6 @@
end
end

describe "get_selinux_default_context_with_handle" do
it "should return a context if a default context exists" do
without_partial_double_verification do
expect(self).to receive(:selinux_support?).and_return(true)
expect(self).to receive(:find_fs).with("/foo").and_return("ext3")
hnd = double("SWIG::TYPE_p_selabel_handle")
expect(Selinux).to receive(:selabel_lookup).with(hnd, '/foo', 0).and_return([0, "user_u:role_r:type_t:s0"])
expect(get_selinux_default_context_with_handle("/foo", hnd)).to eq("user_u:role_r:type_t:s0")
end
end

it "should raise an ArgumentError when handle is nil" do
allow(self).to receive(:selinux_support?).and_return(true)
allow(self).to receive(:selinux_label_support?).and_return(true)
expect{get_selinux_default_context_with_handle("/foo", nil)}.to raise_error(ArgumentError, /Cannot get default context with nil handle/)
end

it "should return nil if there is no SELinux support" do
expect(self).to receive(:selinux_support?).and_return(false)
expect(get_selinux_default_context_with_handle("/foo", nil)).to be_nil
end

it "should return nil if selinux_label_support returns false" do
expect(self).to receive(:selinux_support?).and_return(true)
expect(self).to receive(:find_fs).with("/foo").and_return("nfs")
expect(get_selinux_default_context_with_handle("/foo", nil)).to be_nil
end
end

describe "parse_selinux_context" do
it "should return nil if no context is passed" do
expect(parse_selinux_context(:seluser, nil)).to be_nil
Expand Down

0 comments on commit 2417766

Please sign in to comment.