Merge pull request #11011 from bcoca/fuse_selinux_fix

attempt to fix selinux context on fuse filesystems

Merge pull request #11011 from bcoca/fuse_selinux_fix
attempt to fix selinux context on fuse filesystems
71889889 · Brian Coca · 5a947209 · e2de336a · 71889889 · 71889889
Commit 71889889 authored May 15, 2015 by Brian Coca
Show whitespace changes
Inline Side-by-side

Showing with 26 additions and 9 deletions

examples/ansible.cfg
+5 -0

lib/ansible/constants.py
+3 -0

lib/ansible/inventory/__init__.py
+0 -0

lib/ansible/module_common.py
+3 -0

lib/ansible/module_utils/basic.py
+15 -9

No files found.
--- a/examples/ansible.cfg
+++ b/examples/ansible.cfg
@@ -223,3 +223,8 @@ accelerate_daemon_timeout = 30
 # is "no".
 #accelerate_multi_key = yes

+[selinux]
+# file systems that require special treatment when dealing with security context
+# the default behaviour that copies the existing context or uses the user default
+# needs to be changed to use the file system dependant context.
+#special_context_filesystems=nfs,vboxsf,fuse
--- a/lib/ansible/constants.py
+++ b/lib/ansible/constants.py
@@ -136,6 +136,9 @@ DEFAULT_ASK_SU_PASS       = get_config(p, DEFAULTS, 'ask_su_pass', 'ANSIBLE_ASK_
 DEFAULT_GATHERING         = get_config(p, DEFAULTS, 'gathering', 'ANSIBLE_GATHERING', 'implicit').lower()
 DEFAULT_LOG_PATH          = shell_expand_path(get_config(p, DEFAULTS, 'log_path',           'ANSIBLE_LOG_PATH', ''))

+# selinux
+DEFAULT_SELINUX_SPECIAL_FS = get_config(p, 'selinux', 'special_context_filesystems', None, 'fuse, nfs, vboxsf', islist=True)
+
 #TODO: get rid of ternary chain mess
 BECOME_METHODS            = ['sudo','su','pbrun','pfexec','runas']
 BECOME_ERROR_STRINGS      = {'sudo': 'Sorry, try again.', 'su': 'Authentication failure', 'pbrun': '', 'pfexec': '', 'runas': ''}

--- a/lib/ansible/inventory/__init__.py
+++ b/lib/ansible/inventory/__init__.py
--- a/lib/ansible/module_common.py
+++ b/lib/ansible/module_common.py
@@ -33,6 +33,8 @@ REPLACER_ARGS = "\"<<INCLUDE_ANSIBLE_MODULE_ARGS>>\""
 REPLACER_COMPLEX = "\"<<INCLUDE_ANSIBLE_MODULE_COMPLEX_ARGS>>\""
 REPLACER_WINDOWS = "# POWERSHELL_COMMON"
 REPLACER_VERSION = "\"<<ANSIBLE_VERSION>>\""
+REPLACER_SELINUX = "<<SELINUX_SPECIAL_FILESYSTEMS>>"
+

 class ModuleReplacer(object):

@@ -167,6 +169,7 @@ class ModuleReplacer(object):

            # these strings should be part of the 'basic' snippet which is required to be included
            module_data = module_data.replace(REPLACER_VERSION, repr(__version__))
+            module_data = module_data.replace(REPLACER_SELINUX, ','.join(C.DEFAULT_SELINUX_SPECIAL_FS))
            module_data = module_data.replace(REPLACER_ARGS, encoded_args)
            module_data = module_data.replace(REPLACER_COMPLEX, encoded_complex)


--- a/lib/ansible/module_utils/basic.py
+++ b/lib/ansible/module_utils/basic.py
@@ -38,6 +38,8 @@ BOOLEANS_TRUE = ['yes', 'on', '1', 'true', 1]
 BOOLEANS_FALSE = ['no', 'off', '0', 'false', 0]
 BOOLEANS = BOOLEANS_TRUE + BOOLEANS_FALSE

+SELINUX_SPECIAL_FS="<<SELINUX_SPECIAL_FILESYSTEMS>>"
+
 # ansible modules can be written in any language.  To simplify
 # development of Python modules, the functions available here
 # can be inserted in any module source automatically by including
@@ -528,10 +530,10 @@ class AnsibleModule(object):
            path = os.path.dirname(path)
        return path

-    def is_nfs_path(self, path):
+    def is_special_selinux_path(self, path):
        """
-        Returns a tuple containing (True, selinux_context) if the given path
-        is on a NFS mount point, otherwise the return will be (False, None).
+        Returns a tuple containing (True, selinux_context) if the given path is on a
+        NFS or other 'special' fs  mount point, otherwise the return will be (False, None).
        """
        try:
            f = open('/proc/mounts', 'r')
@@ -542,9 +544,13 @@ class AnsibleModule(object):
        path_mount_point = self.find_mount_point(path)
        for line in mount_data:
            (device, mount_point, fstype, options, rest) = line.split(' ', 4)
-            if path_mount_point == mount_point and 'nfs' in fstype:
-                nfs_context = self.selinux_context(path_mount_point)
-                return (True, nfs_context)
+
+            if path_mount_point == mount_point:
+                for fs in SELINUX_SPECIAL_FS.split(','):
+                    if fs in fstype:
+                        special_context = self.selinux_context(path_mount_point)
+                        return (True, special_context)
+
        return (False, None)

    def set_default_selinux_context(self, path, changed):
@@ -562,9 +568,9 @@ class AnsibleModule(object):
        # Iterate over the current context instead of the
        # argument context, which may have selevel.

-        (is_nfs, nfs_context) = self.is_nfs_path(path)
-        if is_nfs:
-            new_context = nfs_context
+        (is_special_se, sp_context) = self.is_special_selinux_path(path)
+        if is_special_se:
+            new_context = sp_context
        else:
            for i in range(len(cur_context)):
                if len(context) > i: