(PUP-7126) Use selabel_lookup instead of matchpathcon #9349
+82
−20
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AriaXLi
force-pushed
the
PUP-7126
branch
4 times, most recently
from
b05e468
to
65f1112
Compare
joshcooper
reviewed
May 21, 2024
AriaXLi
force-pushed
the
PUP-7126
branch
14 times, most recently
from
c3b7af8
to
82ff1fe
Compare
joshcooper
reviewed
Jun 3, 2024
AriaXLi
added a commit
to AriaXLi/puppet
that referenced
this pull request
Jun 3, 2024
This commit adds API documentation, updates a call to, and adds a spec test for the pre_resource_eval class function in the POSIX file provider (which was added in puppetlabs#9349). When called, pre_resource_eval will create a class variable, selinux_handle, which can be used when handling data for SELinux. Since the handle is a class variable, we can avoid running into performance issues since the handle can be re-used instead of needing to make a new one each time.
AriaXLi
force-pushed
the
PUP-7126
branch
6 times, most recently
from
03eac32
to
0c17a5a
Compare
AriaXLi
added a commit
to AriaXLi/puppet
that referenced
this pull request
Jun 3, 2024
This commit adds API documentation, updates a call to, and adds a spec test for the pre_resource_eval class function in the POSIX file provider (which was added in puppetlabs#9349). When called, pre_resource_eval will create a class variable, selinux_handle, which can be used when handling data for SELinux. Since the handle is a class variable, we can avoid running into performance issues since the handle can be re-used instead of needing to make a new one each time. Additionally, since the old method wasn't completely removed & replaced (and instead deprecated), less changes to old spec tests are needed as their calls to the deprecated method aren't impacted.
AriaXLi
added a commit
to AriaXLi/puppet
that referenced
this pull request
Jun 3, 2024
This commit adds API documentation, updates a call to, and adds a spec test for the pre_resource_eval class function in the POSIX file provider (which was added in puppetlabs#9349). When called, pre_resource_eval will create a class variable, selinux_handle, which can be used when handling data for SELinux. Since the handle is a class variable, we can avoid running into performance issues since the handle can be re-used instead of needing to make a new one each time. Additionally, since the old method wasn't completely removed & replaced (and instead deprecated), less changes to old spec tests are needed as their calls to the deprecated method aren't impacted.
AriaXLi
force-pushed
the
PUP-7126
branch
3 times, most recently
from
941be4d
to
379945e
Compare
joshcooper
reviewed
Jun 5, 2024
joshcooper
reviewed
Jun 5, 2024
AriaXLi
force-pushed
the
PUP-7126
branch
6 times, most recently
from
0dbb4ba
to
e13cd19
Compare
joshcooper
reviewed
Jun 6, 2024
This commit: - Deprecates get_selinux_default_context which calls the deprecated Selinux.matchpathcon and replaces it with get_selinux_default_context_with_handle which calls Selinux.selabel_lookup instead. The new method requires a handle since selabel_lookup requires a handle - Adds a getter method for the class variable, selinux_handle, in the POSIX file provider which is used to get the handle for get_selinux_default_context_with_handle. With this getter method, selinux_handle will only initialized once with Selinux.selabel_lookup. - Updates post_resource_eval in the POSIX file provider to call Selinux.selabel_close instead of the deprecated Selinux.matchpathcon_fini when terminating selinux_handle. After, selinux_handle is set to nil. Co-authored-by: William Bradford Clark <wclark@redhat.com>
joshcooper
approved these changes
Jun 7, 2024
There was a problem hiding this comment.
Verified this is working as expected on RHEL7 with
# setenforce Permissive
# reboot
... reconnect
# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
# cat manifest.pp
Integer[0, 5].each |$i| {
file { "/root/tmp/file$i.txt":
ensure => file,
seltype => 'etc_t',
}
}
# mkdir ~/tmp
# bundle exec puppet apply manifest.pp
/root/puppet/lib/puppet/provider/file/posix.rb:22: warning: undefining the allocator of T_DATA class SWIG::TYPE_p_selabel_handle
Notice: Compiled catalog for XXX in environment production in 0.02 seconds
Notice: /Stage[main]/Main/File[/root/tmp/file0.txt]/ensure: created
Notice: /Stage[main]/Main/File[/root/tmp/file1.txt]/ensure: created
Notice: /Stage[main]/Main/File[/root/tmp/file2.txt]/ensure: created
Notice: /Stage[main]/Main/File[/root/tmp/file3.txt]/ensure: created
Notice: /Stage[main]/Main/File[/root/tmp/file4.txt]/ensure: created
Notice: /Stage[main]/Main/File[/root/tmp/file5.txt]/ensure: created
Notice: Applied catalog in 0.28 seconds
# ls -Z /root/tmp/file0.txt
-rw-r--r--. root root system_u:object_r:etc_t:s0 /root/tmp/file0.txt
# bundle exec puppet apply manifest.pp
/root/puppet/lib/puppet/provider/file/posix.rb:22: warning: undefining the allocator of T_DATA class SWIG::TYPE_p_selabel_handle
Notice: Compiled catalog for XXX in environment production in 0.02 seconds
Notice: Applied catalog in 0.27 seconds
# vi manifest.pp
# grep seltype manifest.pp
seltype => 'user_home_t',
# bundle exec puppet apply manifest.pp
/root/puppet/lib/puppet/provider/file/posix.rb:22: warning: undefining the allocator of T_DATA class SWIG::TYPE_p_selabel_handle
Notice: Compiled catalog for XXX in environment production in 0.02 seconds
Notice: /Stage[main]/Main/File[/root/tmp/file0.txt]/seltype: seltype changed 'etc_t' to 'user_home_t'
Notice: /Stage[main]/Main/File[/root/tmp/file1.txt]/seltype: seltype changed 'etc_t' to 'user_home_t'
Notice: /Stage[main]/Main/File[/root/tmp/file2.txt]/seltype: seltype changed 'etc_t' to 'user_home_t'
Notice: /Stage[main]/Main/File[/root/tmp/file3.txt]/seltype: seltype changed 'etc_t' to 'user_home_t'
Notice: /Stage[main]/Main/File[/root/tmp/file4.txt]/seltype: seltype changed 'etc_t' to 'user_home_t'
Notice: /Stage[main]/Main/File[/root/tmp/file5.txt]/seltype: seltype changed 'etc_t' to 'user_home_t'
The warning: undefining the allocator of T_DATA class SWIG::TYPE_p_selabel_handle error is unrelated to this. It seems our fix in puppetlabs/puppet-runtime#620 is not working. I'll file a separate issue about that.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.