Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add file mode-awareness to selabel_lookup #9448

Merged
merged 2 commits into from
Aug 14, 2024

Conversation

joshcooper
Copy link
Contributor

@joshcooper joshcooper commented Aug 13, 2024

Fixes #9431
Supersedes #9437

This PR reproduces much of the mode-related functionality of the now-deprecated matchpathcon codepath. This is important because without this, Puppet determines an incorrect SELinux label to apply to files -- i.e. it does not match what restorecon would do -- which is important because correct SELinux labelling is a necessity in order to ensure that policy is applied correctly.

Author: Dave Baxter [email protected]

davejbax and others added 2 commits August 12, 2024 18:09
SELinux file contexts can be limited to files with a particular mode,
such as symbolic links only or directories only. Therefore, if we
specify no mode (a value of zero), our SELinux label lookup can return
an inaccurate result for the file, causing Puppet to set the wrong
SELinux type for a file. selabel_file(5) notes this:

> mode may be zero, however full matching may not occur.

This commit changes the behaviour of
get_selinux_default_context_with_handle to attempt to lstat(2) the file,
or otherwise rely on the `ensure` property to infer a suitable mode.

This should fix puppetlabs#9431.
Create private `file_mode` method that returns either the current mode or a
default mode based on the desired `resource_ensure` value.
@joshcooper
Copy link
Contributor Author

given

# ruby --version
ruby 3.2.5 (2024-07-26 revision 31d0f1a2e7) [aarch64-linux]
# rpm -q httpd
httpd-2.4.57-11.el9_4.1.aarch64
# semanage fcontext -l | grep /etc/httpd | grep -v alias | grep -v keytab
/etc/httpd(/.*)?                                   all files          system_u:object_r:httpd_config_t:s0 
/etc/httpd/.*                                      symbolic link      system_u:object_r:etc_t:s0 

file

# rm -f /etc/httpd/conf.d/foo.conf
# bundle exec puppet apply -e "file { '/etc/httpd/conf.d/foo.conf': ensure => file, content => 'test' }"
Notice: Compiled catalog for XXX in environment production in 0.03 seconds
Notice: /Stage[main]/Main/File[/etc/httpd/conf.d/foo.conf]/ensure: defined content as '{sha256}9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08'
Notice: Applied catalog in 0.05 seconds
# ls -laZ /etc/httpd/conf.d/foo.conf
-rw-r--r--. 1 root root system_u:object_r:httpd_config_t:s0 4 Aug 13 01:33 /etc/httpd/conf.d/foo.conf

directory

# bundle exec puppet apply -e "file { '/etc/httpd/conf.d/more.d': ensure => directory }"
Notice: Compiled catalog for XXX in environment production in 0.03 seconds
Notice: /Stage[main]/Main/File[/etc/httpd/conf.d/more.d]/ensure: created
Notice: Applied catalog in 0.02 seconds
# ls -ladZ /etc/httpd/conf.d/more.d/
drwxr-xr-x. 2 root root system_u:object_r:httpd_config_t:s0 6 Aug 13 01:33 /etc/httpd/conf.d/more.d/

symlink

# touch /etc/foo.conf
# bundle exec puppet apply -e "file { '/etc/httpd/conf.d/link': ensure => link, target => '/etc/foo.conf' }"
Notice: Compiled catalog for XXX in environment production in 0.03 seconds
Notice: /Stage[main]/Main/File[/etc/httpd/conf.d/link]/ensure: created
Notice: Applied catalog in 0.02 seconds
# ls -laZ /etc/httpd/conf.d/link 
lrwxrwxrwx. 1 root root system_u:object_r:etc_t:s0 13 Aug 13 01:36 /etc/httpd/conf.d/link -> /etc/foo.conf

@joshcooper joshcooper marked this pull request as ready for review August 13, 2024 01:42
@joshcooper joshcooper requested a review from a team as a code owner August 13, 2024 01:42
@joshcooper joshcooper merged commit 19bc0de into puppetlabs:main Aug 14, 2024
9 checks passed
@joshcooper joshcooper deleted the fix-file-resource-seltype-9431 branch August 14, 2024 00:09
@joshcooper joshcooper added the bug Something isn't working label Aug 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Default file SELinux seltype is incorrect
2 participants