From 65929b1d4c7278f775890dadc50e12efb1bda9f8 Mon Sep 17 00:00:00 2001 From: Yansheng Wei Date: Tue, 23 Apr 2024 15:29:02 -0500 Subject: [PATCH] [issue #119] Update fcontext to allow override of built-in types Signed-off-by: Yansheng Wei --- resources/fcontext.rb | 9 ++++- .../selinux_test/recipes/fcontext.rb | 37 +++++++++++++++++++ .../fcontext/controls/fcontext_control.rb | 9 +++++ 3 files changed, 54 insertions(+), 1 deletion(-) diff --git a/resources/fcontext.rb b/resources/fcontext.rb index 9efbbbb8..d8e2ca8a 100644 --- a/resources/fcontext.rb +++ b/resources/fcontext.rb @@ -93,7 +93,14 @@ def relabel_files return end - unless current_file_context + # "add" is performed in two scenarios. + # 1: The local file_contexts.local has an entry for new_resource.file_spec, but secontext <> new_resource.secontext + # 2. The local file_contexts.local does NOT have an entry for new_resource.file_spec, AND + # either the system default (file_contexts) does not have an entry for new_resource.file_spec, or the secontext <> new_resource.secontext + # In both scenarios, file_contexts.local is created with a new entry, or the secontext is updated. + + cfc = current_file_context + unless cfc && cfc == new_resource.secontext converge_by "adding label #{new_resource.secontext} to #{new_resource.file_spec}" do shell_out!("semanage fcontext -a -f #{new_resource.file_type} -t #{new_resource.secontext} '#{new_resource.file_spec}'") relabel_files diff --git a/test/cookbooks/selinux_test/recipes/fcontext.rb b/test/cookbooks/selinux_test/recipes/fcontext.rb index e64f3394..eb3f4ec1 100644 --- a/test/cookbooks/selinux_test/recipes/fcontext.rb +++ b/test/cookbooks/selinux_test/recipes/fcontext.rb @@ -21,3 +21,40 @@ secontext 'etc_t' file_type 'd' end + +# testing override of built-in context, using '/home/[^/]+/\.ssh(/.*)?' +# Use converge counter so we only do the fcontext manipulation in first round. Otherwise +# the "enforce_idempotency" will cause converge to fail. + +node.run_state['chef_converge_counter'] = `cat /tmp/chef_converge_counter 2>/dev/null`.to_i +node.run_state['chef_converge_counter'] += 1 +file '/tmp/chef_converge_counter' do + content lazy { node.run_state['chef_converge_counter'].to_s } + mode '0644' + only_if { node.run_state['chef_converge_counter'] == 1 } +end + +execute 'Check built-in fcontext' do + command 'matchpathcon /home/user1/.ssh | grep ssh_home_t' + only_if { node.run_state['chef_converge_counter'] == 1 } +end + +# override with 'shadow_t' +selinux_fcontext '/home/[^/]+/\.ssh(/.*)?' do + secontext 'shadow_t' + action :add + only_if { node.run_state['chef_converge_counter'] == 1 } +end + +execute 'Check fcontext override' do + command 'matchpathcon /home/user1/.ssh | grep shadow_t' + only_if { node.run_state['chef_converge_counter'] == 1 } +end + +# remove the override +selinux_fcontext '/home/[^/]+/\.ssh(/.*)?' do + action :delete + only_if { node.run_state['chef_converge_counter'] == 1 } +end + + diff --git a/test/integration/fcontext/controls/fcontext_control.rb b/test/integration/fcontext/controls/fcontext_control.rb index 5dc50331..61f17750 100644 --- a/test/integration/fcontext/controls/fcontext_control.rb +++ b/test/integration/fcontext/controls/fcontext_control.rb @@ -19,3 +19,12 @@ its('selinux_label') { should match 'etc_t' } end end + +control 'fcontext override' do + title 'Verify that built-in SELinux file contexts override works correctly' + + describe command('matchpathcon /home/user1/.ssh') do + its('exit_status') { should eq 0 } + its('stdout') { should match /ssh_home_t/ } + end +end