Skip to content

Commit

Permalink
[issue #119] Update fcontext to allow override of built-in types
Browse files Browse the repository at this point in the history
Signed-off-by: Yansheng Wei <[email protected]>
  • Loading branch information
ywei2017 committed Apr 26, 2024
1 parent 415cf27 commit c653615
Show file tree
Hide file tree
Showing 3 changed files with 54 additions and 1 deletion.
9 changes: 8 additions & 1 deletion resources/fcontext.rb
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,14 @@ def relabel_files
return
end

unless current_file_context
# "add" is performed in two scenarios.
# 1: The local file_contexts.local has an entry for new_resource.file_spec, but secontext <> new_resource.secontext
# 2. The local file_contexts.local does NOT have an entry for new_resource.file_spec, AND
# either the system default (file_contexts) does not have an entry for new_resource.file_spec, or the secontext <> new_resource.secontext
# In both scenarios, file_contexts.local is created with a new entry, or the secontext is updated.

cfc = current_file_context
unless cfc && cfc == new_resource.secontext
converge_by "adding label #{new_resource.secontext} to #{new_resource.file_spec}" do
shell_out!("semanage fcontext -a -f #{new_resource.file_type} -t #{new_resource.secontext} '#{new_resource.file_spec}'")
relabel_files
Expand Down
37 changes: 37 additions & 0 deletions test/cookbooks/selinux_test/recipes/fcontext.rb
Original file line number Diff line number Diff line change
Expand Up @@ -21,3 +21,40 @@
secontext 'etc_t'
file_type 'd'
end

# testing override of built-in context, using '/home/[^/]+/\.ssh(/.*)?'
# Use converge counter so we only do the fcontext manipulation in first round. Otherwise
# the "enforce_idempotency" will cause converge to fail.

node.run_state['chef_converge_counter'] = `cat /tmp/chef_converge_counter 2>/dev/null`.to_i
node.run_state['chef_converge_counter'] += 1
file '/tmp/chef_converge_counter' do
content lazy { node.run_state['chef_converge_counter'].to_s }
mode '0644'
only_if { node.run_state['chef_converge_counter'] == 1 }
end

execute 'Check built-in fcontext' do
command '/sbin/semanage fcontext -l | awk \'$1=="/home/[^/]+/\\\\.ssh(/.*)?"\' | grep ssh_home_t'
only_if { node.run_state['chef_converge_counter'] == 1 }
end

# override with 'shadow_t'
selinux_fcontext '/home/[^/]+/\.ssh(/.*)?' do
secontext 'shadow_t'
action :add
only_if { node.run_state['chef_converge_counter'] == 1 }
end

execute 'Check fcontext override' do
command '/sbin/semanage fcontext -l | awk \'$1=="/home/[^/]+/\\\\.ssh(/.*)?"\' | grep shadow_t'
only_if { node.run_state['chef_converge_counter'] == 1 }
end

# remove the override
selinux_fcontext '/home/[^/]+/\.ssh(/.*)?' do
action :delete
only_if { node.run_state['chef_converge_counter'] == 1 }
end


9 changes: 9 additions & 0 deletions test/integration/fcontext/controls/fcontext_control.rb
Original file line number Diff line number Diff line change
Expand Up @@ -19,3 +19,12 @@
its('selinux_label') { should match 'etc_t' }
end
end

control 'fcontext override' do
title 'Verify that built-in SELinux file contexts override works correctly'

describe command('/sbin/semanage fcontext -l | awk \'$1=="/home/[^/]+/\\\\.ssh(/.*)?"\'') do
its('exit_status') { should eq 0 }
its('stdout') { should match /ssh_home_t/ }
end
end

0 comments on commit c653615

Please sign in to comment.