-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(PUP-7126) Use selabel_lookup instead of matchpathcon #9349
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AriaXLi
force-pushed
the
PUP-7126
branch
4 times, most recently
from
May 21, 2024 00:49
b05e468
to
65f1112
Compare
joshcooper
reviewed
May 21, 2024
AriaXLi
force-pushed
the
PUP-7126
branch
14 times, most recently
from
June 1, 2024 01:24
c3b7af8
to
82ff1fe
Compare
joshcooper
reviewed
Jun 3, 2024
AriaXLi
added a commit
to AriaXLi/puppet
that referenced
this pull request
Jun 3, 2024
This commit adds API documentation, updates a call to, and adds a spec test for the pre_resource_eval class function in the POSIX file provider (which was added in puppetlabs#9349). When called, pre_resource_eval will create a class variable, selinux_handle, which can be used when handling data for SELinux. Since the handle is a class variable, we can avoid running into performance issues since the handle can be re-used instead of needing to make a new one each time.
AriaXLi
force-pushed
the
PUP-7126
branch
6 times, most recently
from
June 3, 2024 22:41
03eac32
to
0c17a5a
Compare
AriaXLi
added a commit
to AriaXLi/puppet
that referenced
this pull request
Jun 3, 2024
This commit adds API documentation, updates a call to, and adds a spec test for the pre_resource_eval class function in the POSIX file provider (which was added in puppetlabs#9349). When called, pre_resource_eval will create a class variable, selinux_handle, which can be used when handling data for SELinux. Since the handle is a class variable, we can avoid running into performance issues since the handle can be re-used instead of needing to make a new one each time. Additionally, since the old method wasn't completely removed & replaced (and instead deprecated), less changes to old spec tests are needed as their calls to the deprecated method aren't impacted.
AriaXLi
added a commit
to AriaXLi/puppet
that referenced
this pull request
Jun 3, 2024
This commit adds API documentation, updates a call to, and adds a spec test for the pre_resource_eval class function in the POSIX file provider (which was added in puppetlabs#9349). When called, pre_resource_eval will create a class variable, selinux_handle, which can be used when handling data for SELinux. Since the handle is a class variable, we can avoid running into performance issues since the handle can be re-used instead of needing to make a new one each time. Additionally, since the old method wasn't completely removed & replaced (and instead deprecated), less changes to old spec tests are needed as their calls to the deprecated method aren't impacted.
AriaXLi
force-pushed
the
PUP-7126
branch
3 times, most recently
from
June 4, 2024 23:18
941be4d
to
379945e
Compare
joshcooper
reviewed
Jun 5, 2024
joshcooper
reviewed
Jun 5, 2024
AriaXLi
force-pushed
the
PUP-7126
branch
6 times, most recently
from
June 6, 2024 00:12
0dbb4ba
to
e13cd19
Compare
joshcooper
reviewed
Jun 6, 2024
This commit: - Deprecates get_selinux_default_context which calls the deprecated Selinux.matchpathcon and replaces it with get_selinux_default_context_with_handle which calls Selinux.selabel_lookup instead. The new method requires a handle since selabel_lookup requires a handle - Adds a getter method for the class variable, selinux_handle, in the POSIX file provider which is used to get the handle for get_selinux_default_context_with_handle. With this getter method, selinux_handle will only initialized once with Selinux.selabel_lookup. - Updates post_resource_eval in the POSIX file provider to call Selinux.selabel_close instead of the deprecated Selinux.matchpathcon_fini when terminating selinux_handle. After, selinux_handle is set to nil. Co-authored-by: William Bradford Clark <[email protected]>
joshcooper
approved these changes
Jun 7, 2024
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Verified this is working as expected on RHEL7 with
# setenforce Permissive
# reboot
... reconnect
# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
# cat manifest.pp
Integer[0, 5].each |$i| {
file { "/root/tmp/file$i.txt":
ensure => file,
seltype => 'etc_t',
}
}
# mkdir ~/tmp
# bundle exec puppet apply manifest.pp
/root/puppet/lib/puppet/provider/file/posix.rb:22: warning: undefining the allocator of T_DATA class SWIG::TYPE_p_selabel_handle
Notice: Compiled catalog for XXX in environment production in 0.02 seconds
Notice: /Stage[main]/Main/File[/root/tmp/file0.txt]/ensure: created
Notice: /Stage[main]/Main/File[/root/tmp/file1.txt]/ensure: created
Notice: /Stage[main]/Main/File[/root/tmp/file2.txt]/ensure: created
Notice: /Stage[main]/Main/File[/root/tmp/file3.txt]/ensure: created
Notice: /Stage[main]/Main/File[/root/tmp/file4.txt]/ensure: created
Notice: /Stage[main]/Main/File[/root/tmp/file5.txt]/ensure: created
Notice: Applied catalog in 0.28 seconds
# ls -Z /root/tmp/file0.txt
-rw-r--r--. root root system_u:object_r:etc_t:s0 /root/tmp/file0.txt
# bundle exec puppet apply manifest.pp
/root/puppet/lib/puppet/provider/file/posix.rb:22: warning: undefining the allocator of T_DATA class SWIG::TYPE_p_selabel_handle
Notice: Compiled catalog for XXX in environment production in 0.02 seconds
Notice: Applied catalog in 0.27 seconds
# vi manifest.pp
# grep seltype manifest.pp
seltype => 'user_home_t',
# bundle exec puppet apply manifest.pp
/root/puppet/lib/puppet/provider/file/posix.rb:22: warning: undefining the allocator of T_DATA class SWIG::TYPE_p_selabel_handle
Notice: Compiled catalog for XXX in environment production in 0.02 seconds
Notice: /Stage[main]/Main/File[/root/tmp/file0.txt]/seltype: seltype changed 'etc_t' to 'user_home_t'
Notice: /Stage[main]/Main/File[/root/tmp/file1.txt]/seltype: seltype changed 'etc_t' to 'user_home_t'
Notice: /Stage[main]/Main/File[/root/tmp/file2.txt]/seltype: seltype changed 'etc_t' to 'user_home_t'
Notice: /Stage[main]/Main/File[/root/tmp/file3.txt]/seltype: seltype changed 'etc_t' to 'user_home_t'
Notice: /Stage[main]/Main/File[/root/tmp/file4.txt]/seltype: seltype changed 'etc_t' to 'user_home_t'
Notice: /Stage[main]/Main/File[/root/tmp/file5.txt]/seltype: seltype changed 'etc_t' to 'user_home_t'
The warning: undefining the allocator of T_DATA class SWIG::TYPE_p_selabel_handle
error is unrelated to this. It seems our fix in puppetlabs/puppet-runtime#620 is not working. I'll file a separate issue about that.
AriaXLi
added a commit
to AriaXLi/puppet-runtime
that referenced
this pull request
Jun 12, 2024
After puppetlabs/puppet#9349 was merged the warning: undefining the allocator of T_DATA class SWIG::TYPE_p_selabel_handle error popped up again on RHEL-8 x86_64. We ran into this previously and thought puppetlabs#620 fixed it completely. This issue was completely fixed in swig 4.2.0+. This commit patches selinuxswig_ruby_wrap.c with swig/swig@aa21014 and is applied after the patch from puppetlabs#620 since the fix in swig/swig@aa21014 came after.
imaqsood
pushed a commit
to imaqsood/puppet-runtime
that referenced
this pull request
Aug 12, 2024
After puppetlabs/puppet#9349 was merged the warning: undefining the allocator of T_DATA class SWIG::TYPE_p_selabel_handle error popped up again on RHEL-8 x86_64. We ran into this previously and thought puppetlabs#620 fixed it completely. This issue was completely fixed in swig 4.2.0+. This commit patches selinuxswig_ruby_wrap.c with swig/swig@aa21014 and is applied after the patch from puppetlabs#620 since the fix in swig/swig@aa21014 came after.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.