rpms/rhel-system-roles
7
0
Fork 0
Code Issues Pull Requests Releases Activity

rebase selinux role to latest upstream

Browse Source 
Rebase to latest upstream (1937938)
should not reload the SELinux policy if its not changed (1757869)
Ability to install custom SELinux module via Ansible (1848683)

Related: rhbz#1961404
This commit is contained in:
Rich Megginson 2021-04-01 23:20:39 +02:00 committed by Noriko Hosoi
parent 500d261991
commit 18badc5e8b
4 changed files with 41 additions and 224 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
linux-system-roles.spec
View File

@ -101,9 +101,9 @@ BuildRequires: ansible >= 2.9.10
%global rolename1 postfix
%deftag 1 0.1
#%%defcommit 2 6cd1ec8fdebdb92a789b14e5a44fe77f0a3d8ecd
%defcommit 2 557546f922886fc1e73012f2af08ec80fec82fe2
%global rolename2 selinux
%deftag 2 1.1.1
#%%deftag 2 1.1.1
%defcommit 3 8a95989e158519ce4bebe10091c47ef88b29261b
%global rolename3 timesync
@ -191,8 +191,6 @@ Patch11: rhel-system-roles-postfix-pr5.diff
Patch12: postfix-meta-el8.diff
Patch21: selinux-tier1-tags.diff
Patch22: selinux-bz-1926947-no-variable-named-present.diff
Patch23: selinux-ansible-test-issues.diff
Patch31: timesync-tier1-tags.diff
@ -275,8 +273,6 @@ cd %{rolename1}
cd ..
cd %{rolename2}
%patch21 -p1
%patch22 -p1
%patch23 -p1
cd ..
cd %{rolename3}
%patch31 -p1

164
selinux-ansible-test-issues.diff
View File

@ -1,164 +0,0 @@
From 9cbbc3f63052bef0b6a697e066e092a5f9722ce8 Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Mon, 22 Feb 2021 17:11:05 -0800
Subject: [PATCH] Patch23: selinux-ansible-test-issues.diff
---
.sanity-ansible-ignore-2.10.txt | 2 ++
.sanity-ansible-ignore-2.9.txt | 2 ++
library/selogin.py | 26 ++++++++++-----------
tests/setup_module_utils.sh | 41 ---------------------------------
4 files changed, 16 insertions(+), 55 deletions(-)
create mode 100644 .sanity-ansible-ignore-2.10.txt
create mode 100644 .sanity-ansible-ignore-2.9.txt
delete mode 100755 tests/setup_module_utils.sh
diff --git a/.sanity-ansible-ignore-2.10.txt b/.sanity-ansible-ignore-2.10.txt
new file mode 100644
index 0000000..5f8ce1e
--- /dev/null
+++ b/.sanity-ansible-ignore-2.10.txt
@@ -0,0 +1,2 @@
+plugins/modules/selogin.py no-get-exception
+plugins/modules/selogin.py validate-modules!skip
diff --git a/.sanity-ansible-ignore-2.9.txt b/.sanity-ansible-ignore-2.9.txt
new file mode 100644
index 0000000..5f8ce1e
--- /dev/null
+++ b/.sanity-ansible-ignore-2.9.txt
@@ -0,0 +1,2 @@
+plugins/modules/selogin.py no-get-exception
+plugins/modules/selogin.py validate-modules!skip
diff --git a/library/selogin.py b/library/selogin.py
index b785c27..6e3fd32 100644
--- a/library/selogin.py
+++ b/library/selogin.py
@@ -15,6 +15,9 @@
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
ANSIBLE_METADATA = {
"status": ["preview"],
@@ -22,13 +25,14 @@ ANSIBLE_METADATA = {
"version": "1.0",
}
-DOCUMENTATION = """
+DOCUMENTATION = r"""
---
module: selogin
short_description: Manages linux user to SELinux user mapping
description:
- - Manages linux user to SELinux user mapping
-version_added: "1.0"
+ - "WARNING: Do not use this module directly! It is only for role internal use."
+ - Manages linux user to SELinux user mapping
+version_added: '1.0'
options:
login:
description:
@@ -41,8 +45,7 @@ options:
required: true
default: null
serange:
- description:
- - >-
+ description: >
MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login
mapping - defaults to the SELinux user record range.
required: false
@@ -62,8 +65,9 @@ notes:
- The changes are persistent across reboots
- Not tested on any debian based system
requirements: [ 'libselinux-python', 'policycoreutils-python' ]
-author: Dan Keder
-author: Petr Lautrbach
+author:
+ - Dan Keder (@dkeder)
+ - Petr Lautrbach (@bachradsusi)
"""
EXAMPLES = """
@@ -82,7 +86,7 @@ EXAMPLES = """
# Assign all users in the engineering group to the staff_u user
- selogin:
- login: %engineering
+ login: "%engineering"
seuser: staff_u
state: present
"""
@@ -198,9 +202,6 @@ def semanage_login_add(module, login, seuser, do_reload, serange="s0", sestore="
except KeyError:
e = get_exception()
module.fail_json(msg="%s: %s\n" % (e.__class__.__name__, str(e)))
- except OSError:
- e = get_exception()
- module.fail_json(msg="%s: %s\n" % (e.__class__.__name__, str(e)))
except RuntimeError:
e = get_exception()
module.fail_json(msg="%s: %s\n" % (e.__class__.__name__, str(e)))
@@ -248,9 +249,6 @@ def semanage_login_del(module, login, seuser, do_reload, sestore=""):
except KeyError:
e = get_exception()
module.fail_json(msg="%s: %s\n" % (e.__class__.__name__, str(e)))
- except OSError:
- e = get_exception()
- module.fail_json(msg="%s: %s\n" % (e.__class__.__name__, str(e)))
except RuntimeError:
e = get_exception()
module.fail_json(msg="%s: %s\n" % (e.__class__.__name__, str(e)))
diff --git a/tests/setup_module_utils.sh b/tests/setup_module_utils.sh
deleted file mode 100755
index 94d102d..0000000
--- a/tests/setup_module_utils.sh
+++ /dev/null
@@ -1,41 +0,0 @@
-#!/bin/bash
-# SPDX-License-Identifier: MIT
-
-set -euo pipefail
-
-if [ -n "${DEBUG:-}" ] ; then
- set -x
-fi
-
-if [ ! -d "${1:-}" ] ; then
- echo Either ansible is not installed, or there is no ansible/module_utils
- echo in "$1" - Skipping
- exit 0
-fi
-
-if [ ! -d "${2:-}" ] ; then
- echo Role has no module_utils - Skipping
- exit 0
-fi
-
-# we need absolute path for $2
-absmoddir=$( readlink -f "$2" )
-
-# clean up old links to module_utils
-for item in "$1"/* ; do
- if lnitem=$( readlink "$item" ) && test -n "$lnitem" ; then
- case "$lnitem" in
- *"${2}"*) rm -f "$item" ;;
- esac
- fi
-done
-
-# add new links to module_utils
-for item in "$absmoddir"/* ; do
- case "$item" in
- *__pycache__) continue;;
- *.pyc) continue;;
- esac
- bnitem=$( basename "$item" )
- ln -s "$item" "$1/$bnitem"
-done
--
2.26.2

34
selinux-bz-1926947-no-variable-named-present.diff
View File

@ -1,34 +0,0 @@
From 035a9b2db26af071a95e02a0af08bcbb73b69abf Mon Sep 17 00:00:00 2001
From: Florian Bachmann <fbachmann.public@gmail.com>
Date: Fri, 5 Feb 2021 11:48:53 +0100
Subject: [PATCH] fix incorrect default value (there is no variable named
"present")
---
tasks/main.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tasks/main.yml b/tasks/main.yml
index afbe81f..702e369 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -118,7 +118,7 @@
ports: "{{ item.ports }}"
proto: "{{ item.proto | default('tcp') }}"
setype: "{{ item.setype }}"
- state: "{{ item.state | default(present) }}"
+ state: "{{ item.state | default('present') }}"
with_items: "{{ selinux_ports }}"
- name: Set linux user to SELinux user mapping
@@ -126,6 +126,6 @@
login: "{{ item.login }}"
seuser: "{{ item.seuser }}"
serange: "{{ item.serange | default('s0') }}"
- state: "{{ item.state | default(present) }}"
+ state: "{{ item.state | default('present') }}"
reload: "{{ item.reload | default(False) }}"
with_items: "{{ selinux_logins }}"
--
2.29.2

59
selinux-tier1-tags.diff
View File

@ -1,5 +1,21 @@
From 4a8f0c2b240ffccde5018d2de1166e6c22daa500 Mon Sep 17 00:00:00 2001
From: Rich Megginson <rmeggins@redhat.com>
Date: Mon, 22 Mar 2021 17:13:26 -0600
Subject: [PATCH] add tags; fix cleanup task
---
tests/set_selinux_variables.yml | 8 ++++++
tests/tests_all_purge.yml | 6 ++++-
tests/tests_all_transitions.yml | 2 ++
tests/tests_boolean.yml | 3 ++-
tests/tests_fcontext.yml | 2 +-
tests/tests_login.yml | 2 +-
tests/tests_port.yml | 2 +-
tests/tests_selinux_disabled.yml | 45 +++++++++++++++++++++-----------
8 files changed, 50 insertions(+), 20 deletions(-)
diff --git a/tests/set_selinux_variables.yml b/tests/set_selinux_variables.yml
index f294101..7571066 100644
index 05f0c88..3446647 100644
--- a/tests/set_selinux_variables.yml
+++ b/tests/set_selinux_variables.yml
@@ -1,4 +1,12 @@
@ -14,9 +30,9 @@ index f294101..7571066 100644
+ ( ansible_distribution == "CentOS" or ansible_distribution == "RedHat" ))
- name: Get local modifications - boolean
command: /usr/sbin/semanage boolean -l -n -C
register: selinux_role_boolean
changed_when: false
diff --git a/tests/tests_all_purge.yml b/tests/tests_all_purge.yml
index 03dfe05..6775847 100644
index 40e933b..4688994 100644
--- a/tests/tests_all_purge.yml
+++ b/tests/tests_all_purge.yml
@@ -8,13 +8,17 @@
@ -39,7 +55,7 @@ index 03dfe05..6775847 100644
- name: Add a Linux System Roles SELinux User
user:
diff --git a/tests/tests_all_transitions.yml b/tests/tests_all_transitions.yml
index f608a42..d0d209b 100644
index acd37ad..20f96c4 100644
--- a/tests/tests_all_transitions.yml
+++ b/tests/tests_all_transitions.yml
@@ -1,6 +1,8 @@
@ -52,7 +68,7 @@ index f608a42..d0d209b 100644
states:
- permissive
diff --git a/tests/tests_boolean.yml b/tests/tests_boolean.yml
index 47eafc0..2aa0025 100644
index 368e8dc..966abe4 100644
--- a/tests/tests_boolean.yml
+++ b/tests/tests_boolean.yml
@@ -1,4 +1,5 @@
@ -61,7 +77,7 @@ index 47eafc0..2aa0025 100644
hosts: all
become: true
@@ -12,7 +13,7 @@
@@ -11,7 +12,7 @@
selinux_booleans:
- { name: 'samba_enable_home_dirs', state: 'on', persistent: 'yes' }
@ -71,12 +87,12 @@ index 47eafc0..2aa0025 100644
set_fact:
boolean_before: "{{ selinux_role_boolean.stdout_lines }}"
diff --git a/tests/tests_fcontext.yml b/tests/tests_fcontext.yml
index 0a411fb..f6f1bf4 100644
index b96b07a..aa1e1fa 100644
--- a/tests/tests_fcontext.yml
+++ b/tests/tests_fcontext.yml
@@ -13,7 +13,7 @@
selinux_fcontexts:
- { target: '/tmp/test_dir1(/.*)?', setype: 'user_home_dir_t', ftype: 'd' }
- { target: '/tmp/test_dir1(/.*)?', setype: 'user_home_dir_t',
ftype: 'd' }
- - include: set_selinux_variables.yml
+ - import_tasks: set_selinux_variables.yml
@ -84,11 +100,12 @@ index 0a411fb..f6f1bf4 100644
set_fact:
fcontext_before: "{{ selinux_role_fcontext.stdout }}"
diff --git a/tests/tests_login.yml b/tests/tests_login.yml
index efa826d..c7ce462 100644
index 67c6a9f..4ce8a0b 100644
--- a/tests/tests_login.yml
+++ b/tests/tests_login.yml
@@ -18,6 +18,6 @@
- { login: 'sar-user', seuser: 'staff_u', serange: 's0-s0:c0.c1023', state: 'present' }
@@ -17,7 +17,7 @@
- { login: 'sar-user', seuser: 'staff_u',
serange: 's0-s0:c0.c1023', state: 'present' }
- - include: set_selinux_variables.yml
+ - import_tasks: set_selinux_variables.yml
@ -96,12 +113,12 @@ index efa826d..c7ce462 100644
set_fact:
login_before: "{{ selinux_role_login.stdout }}"
diff --git a/tests/tests_port.yml b/tests/tests_port.yml
index 446f79d..7bb112e 100644
index 5b651b0..4172dcb 100644
--- a/tests/tests_port.yml
+++ b/tests/tests_port.yml
@@ -29,7 +29,7 @@
selinux_ports:
- { ports: '22022', proto: 'tcp', setype: 'ssh_port_t', state: 'present' }
- { ports: '22022', proto: 'tcp', setype: 'ssh_port_t',
state: 'present' }
- - include: set_selinux_variables.yml
+ - import_tasks: set_selinux_variables.yml
@ -109,10 +126,10 @@ index 446f79d..7bb112e 100644
set_fact:
port_after: "{{ selinux_role_port.stdout }}"
diff --git a/tests/tests_selinux_disabled.yml b/tests/tests_selinux_disabled.yml
index afd23e4..883dc6d 100644
index a0dbaeb..4d896a0 100644
--- a/tests/tests_selinux_disabled.yml
+++ b/tests/tests_selinux_disabled.yml
@@ -12,13 +12,17 @@
@@ -11,13 +11,17 @@
fcontext -a -t user_home_dir_t /tmp/test_dir
login -a -s staff_u sar-user
@ -131,15 +148,16 @@ index afd23e4..883dc6d 100644
- name: Add a Linux System Roles SELinux User
user:
@@ -67,17 +69,28 @@
assert:
@@ -80,18 +84,29 @@
that: "{{ ansible_selinux.config_mode == 'enforcing' }}"
msg: "SELinux config mode should be enforcing instead of {{ ansible_selinux.config_mode }}"
msg: "SELinux config mode should be enforcing instead of
{{ ansible_selinux.config_mode }}"
- - name: Restore original /etc/selinux/config
- copy:
- remote_src: true
- dest: /etc/selinux/config
- src: /etc/selinux/config.test_selinux_disabled
- mode: preserve
- - name: Remove /etc/selinux/config backup
- file:
- path: /etc/selinux/config.test_selinux_disabled
@ -158,6 +176,7 @@ index afd23e4..883dc6d 100644
+ remote_src: true
+ dest: /etc/selinux/config
+ src: /etc/selinux/config.test_selinux_disabled
+ mode: preserve
+
+ - name: Remove /etc/selinux/config backup
+ file: