diff --git a/lib/puppet/provider/file/posix.rb b/lib/puppet/provider/file/posix.rb index f4c645b6336..445dbb13cbf 100644 --- a/lib/puppet/provider/file/posix.rb +++ b/lib/puppet/provider/file/posix.rb @@ -12,22 +12,8 @@ require 'etc' require_relative '../../../puppet/util/selinux' - class << self - def selinux_handle - return nil unless Puppet::Util::SELinux.selinux_support? - - # selabel_open takes 3 args: backend, options, and nopt. The backend param - # is a constant, SELABEL_CTX_FILE, which happens to be 0. Since options is - # nil, nopt can be 0 since nopt represents the # of options specified. - @selinux_handle ||= Selinux.selabel_open(Selinux::SELABEL_CTX_FILE, nil, 0) - end - - def post_resource_eval - if @selinux_handle - Selinux.selabel_close(@selinux_handle) - @selinux_handle = nil - end - end + def self.post_resource_eval + Selinux.matchpathcon_fini if Puppet::Util::SELinux.selinux_support? end def uid2name(id) diff --git a/lib/puppet/type/file/selcontext.rb b/lib/puppet/type/file/selcontext.rb index 474c64a0ccc..225bb5f2c5e 100644 --- a/lib/puppet/type/file/selcontext.rb +++ b/lib/puppet/type/file/selcontext.rb @@ -40,12 +40,11 @@ def retrieve end def retrieve_default_context(property) - return nil if Puppet::Util::Platform.windows? if @resource[:selinux_ignore_defaults] == :true return nil end - context = get_selinux_default_context_with_handle(@resource[:path], provider.class.selinux_handle) + context = get_selinux_default_context(@resource[:path], @resource[:ensure]) unless context return nil end @@ -86,7 +85,7 @@ def sync end Puppet::Type.type(:file).newparam(:selinux_ignore_defaults) do - desc "If this is set then Puppet will not ask SELinux (via selabel_lookup) to + desc "If this is set then Puppet will not ask SELinux (via matchpathcon) to supply defaults for the SELinux attributes (seluser, selrole, seltype, and selrange). In general, you should leave this set at its default and only set it to true when you need Puppet to not try to fix @@ -99,7 +98,7 @@ def sync Puppet::Type.type(:file).newproperty(:seluser, :parent => Puppet::SELFileContext) do desc "What the SELinux user component of the context of the file should be. Any valid SELinux user component is accepted. For example `user_u`. - If not specified it defaults to the value returned by selabel_lookup for + If not specified it defaults to the value returned by matchpathcon for the file, if any exists. Only valid on systems with SELinux support enabled." @@ -110,7 +109,7 @@ def sync Puppet::Type.type(:file).newproperty(:selrole, :parent => Puppet::SELFileContext) do desc "What the SELinux role component of the context of the file should be. Any valid SELinux role component is accepted. For example `role_r`. - If not specified it defaults to the value returned by selabel_lookup for + If not specified it defaults to the value returned by matchpathcon for the file, if any exists. Only valid on systems with SELinux support enabled." @@ -121,7 +120,7 @@ def sync Puppet::Type.type(:file).newproperty(:seltype, :parent => Puppet::SELFileContext) do desc "What the SELinux type component of the context of the file should be. Any valid SELinux type component is accepted. For example `tmp_t`. - If not specified it defaults to the value returned by selabel_lookup for + If not specified it defaults to the value returned by matchpathcon for the file, if any exists. Only valid on systems with SELinux support enabled." @@ -133,7 +132,7 @@ def sync desc "What the SELinux range component of the context of the file should be. Any valid SELinux range component is accepted. For example `s0` or `SystemHigh`. If not specified it defaults to the value returned by - selabel_lookup for the file, if any exists. Only valid on systems with + matchpathcon for the file, if any exists. Only valid on systems with SELinux support enabled and that have support for MCS (Multi-Category Security)." diff --git a/lib/puppet/util/selinux.rb b/lib/puppet/util/selinux.rb index bfb730ecc95..cd2c636f2e7 100644 --- a/lib/puppet/util/selinux.rb +++ b/lib/puppet/util/selinux.rb @@ -46,7 +46,6 @@ def get_selinux_current_context(file) # Retrieve and return the default context of the file. If we don't have # SELinux support or if the SELinux call fails to file a default then return nil. - # @deprecated matchpathcon is a deprecated method, selabel_lookup is preferred def get_selinux_default_context(file, resource_ensure = nil) return nil unless selinux_support? # If the filesystem has no support for SELinux labels, return a default of nil @@ -69,20 +68,11 @@ def get_selinux_default_context(file, resource_ensure = nil) end retval = Selinux.matchpathcon(file, mode) - retval == -1 ? nil : retval[1] - end - - def get_selinux_default_context_with_handle(file, handle) - return nil unless selinux_support? - # If the filesystem has no support for SELinux labels, return a default of nil - # instead of what selabel_lookup would return - return nil unless selinux_label_support?(file) - - # Handle is needed for selabel_lookup - raise ArgumentError, _("Cannot get default context with nil handle") unless handle + if retval == -1 + return nil + end - retval = Selinux.selabel_lookup(handle, file, 0) - retval == -1 ? nil : retval[1] + retval[1] end # Take the full SELinux context returned from the tools and parse it diff --git a/spec/unit/transaction_spec.rb b/spec/unit/transaction_spec.rb index 716d5d07625..c7c278bf1c7 100644 --- a/spec/unit/transaction_spec.rb +++ b/spec/unit/transaction_spec.rb @@ -758,15 +758,15 @@ def post_resource_eval transaction.evaluate end - it "should call Selinux.selabel_close in case Selinux is enabled", :if => Puppet.features.posix? do - handle = double('selinux_handle') - selinux = class_double('selinux', is_selinux_enabled: 1, selabel_close: nil, selabel_open: handle, selabel_lookup: -1) + it "should call Selinux.matchpathcon_fini in case Selinux is enabled ", :if => Puppet.features.posix? do + selinux = double('selinux', is_selinux_enabled: true, matchpathcon_fini: nil) stub_const('Selinux', selinux) - stub_const('Selinux::SELABEL_CTX_FILE', 0) + resource = Puppet::Type.type(:file).new(:path => make_absolute("/tmp/foo")) transaction = transaction_with_resource(resource) - expect(Selinux).to receive(:selabel_close).with(handle) + expect(Selinux).to receive(:matchpathcon_fini) + expect(Puppet::Util::SELinux).to receive(:selinux_support?).and_return(true) transaction.evaluate end diff --git a/spec/unit/type/file/selinux_spec.rb b/spec/unit/type/file/selinux_spec.rb index aeedefacebe..2292bfd3496 100644 --- a/spec/unit/type/file/selinux_spec.rb +++ b/spec/unit/type/file/selinux_spec.rb @@ -50,16 +50,13 @@ end it "should handle no default gracefully" do - skip if Puppet::Util::Platform.windows? - expect(@sel).to receive(:get_selinux_default_context_with_handle).with(@path, nil).and_return(nil) + expect(@sel).to receive(:get_selinux_default_context).with(@path, :file).and_return(nil) expect(@sel.default).to be_nil end - it "should be able to detect default context on platforms other than Windows", unless: Puppet::Util::Platform.windows? do + it "should be able to detect matchpathcon defaults" do allow(@sel).to receive(:debug) - hnd = double("SWIG::TYPE_p_selabel_handle") - allow(@sel.provider.class).to receive(:selinux_handle).and_return(hnd) - expect(@sel).to receive(:get_selinux_default_context_with_handle).with(@path, hnd).and_return("user_u:role_r:type_t:s0") + expect(@sel).to receive(:get_selinux_default_context).with(@path, :file).and_return("user_u:role_r:type_t:s0") expectedresult = case param when :seluser; "user_u" when :selrole; "role_r" @@ -69,11 +66,6 @@ expect(@sel.default).to eq(expectedresult) end - it "returns nil default context on Windows", if: Puppet::Util::Platform.windows? do - expect(@sel).to receive(:retrieve_default_context) - expect(@sel.default).to be_nil - end - it "should return nil for defaults if selinux_ignore_defaults is true" do @resource[:selinux_ignore_defaults] = :true expect(@sel.default).to be_nil diff --git a/spec/unit/util/selinux_spec.rb b/spec/unit/util/selinux_spec.rb index 1df1c46b785..21c1fea4801 100644 --- a/spec/unit/util/selinux_spec.rb +++ b/spec/unit/util/selinux_spec.rb @@ -241,35 +241,6 @@ end end - describe "get_selinux_default_context_with_handle" do - it "should return a context if a default context exists" do - without_partial_double_verification do - expect(self).to receive(:selinux_support?).and_return(true) - expect(self).to receive(:find_fs).with("/foo").and_return("ext3") - hnd = double("SWIG::TYPE_p_selabel_handle") - expect(Selinux).to receive(:selabel_lookup).with(hnd, '/foo', 0).and_return([0, "user_u:role_r:type_t:s0"]) - expect(get_selinux_default_context_with_handle("/foo", hnd)).to eq("user_u:role_r:type_t:s0") - end - end - - it "should raise an ArgumentError when handle is nil" do - allow(self).to receive(:selinux_support?).and_return(true) - allow(self).to receive(:selinux_label_support?).and_return(true) - expect{get_selinux_default_context_with_handle("/foo", nil)}.to raise_error(ArgumentError, /Cannot get default context with nil handle/) - end - - it "should return nil if there is no SELinux support" do - expect(self).to receive(:selinux_support?).and_return(false) - expect(get_selinux_default_context_with_handle("/foo", nil)).to be_nil - end - - it "should return nil if selinux_label_support returns false" do - expect(self).to receive(:selinux_support?).and_return(true) - expect(self).to receive(:find_fs).with("/foo").and_return("nfs") - expect(get_selinux_default_context_with_handle("/foo", nil)).to be_nil - end - end - describe "parse_selinux_context" do it "should return nil if no context is passed" do expect(parse_selinux_context(:seluser, nil)).to be_nil