diff options
author | Scott Moser <smoser@ubuntu.com> | 2011-10-30 17:17:03 -0400 |
---|---|---|
committer | Scott Moser <smoser@ubuntu.com> | 2011-10-30 17:17:03 -0400 |
commit | 25824d2007e062f32a7bf3c502eaf9b8f2bf4c15 (patch) | |
tree | 9a70da85e6faf0265386dac0ce7ea08d01ece44c /cloudinit | |
parent | 6d9f6dfcf7e28f398b426c18ca36adeec24f8061 (diff) | |
download | vyos-cloud-init-25824d2007e062f32a7bf3c502eaf9b8f2bf4c15.tar.gz vyos-cloud-init-25824d2007e062f32a7bf3c502eaf9b8f2bf4c15.zip |
Restore created files' selinux contexts
This adds a restorecon_if_possible method which uses selinux
python module, and uses that for files modified in /etc.
taken from
git://pkgs.fedoraproject.org/cloud-init.git
commit 87f33190f43d2b26cced4597e7298835024466c2
Author: Garrett Holmstrom <gholms@fedoraproject.org>
Patch3: cloud-init-0.6.2-filecontext.patch
Diffstat (limited to 'cloudinit')
-rw-r--r-- | cloudinit/CloudConfig/cc_puppet.py | 3 | ||||
-rw-r--r-- | cloudinit/CloudConfig/cc_ssh.py | 2 | ||||
-rw-r--r-- | cloudinit/SshUtil.py | 1 | ||||
-rw-r--r-- | cloudinit/util.py | 11 |
4 files changed, 17 insertions, 0 deletions
diff --git a/cloudinit/CloudConfig/cc_puppet.py b/cloudinit/CloudConfig/cc_puppet.py index 64b7c237..1dcd6a75 100644 --- a/cloudinit/CloudConfig/cc_puppet.py +++ b/cloudinit/CloudConfig/cc_puppet.py @@ -22,6 +22,7 @@ import subprocess import StringIO import ConfigParser import cloudinit.CloudConfig as cc +import cloudinit.util as util def handle(name,cfg,cloud,log,args): # If there isn't a puppet key in the configuration don't do anything @@ -58,6 +59,7 @@ def handle(name,cfg,cloud,log,args): ca_fh.close() os.chown('/var/lib/puppet/ssl/certs/ca.pem', pwd.getpwnam('puppet').pw_uid, 0) + util.restorecon_if_possible('/var/lib/puppet', recursive=True) else: #puppet_conf_fh.write("\n[%s]\n" % (cfg_name)) # If puppet.conf already has this section we don't want to write it again @@ -81,6 +83,7 @@ def handle(name,cfg,cloud,log,args): os.rename('/etc/puppet/puppet.conf','/etc/puppet/puppet.conf.old') with open('/etc/puppet/puppet.conf', 'wb') as configfile: puppet_config.write(configfile) + util.restorecon_if_possible('/etc/puppet/puppet.conf') # Set puppet default file to automatically start subprocess.check_call(['sed', '-i', '-e', 's/^START=.*/START=yes/', diff --git a/cloudinit/CloudConfig/cc_ssh.py b/cloudinit/CloudConfig/cc_ssh.py index 50b6a73c..727fd398 100644 --- a/cloudinit/CloudConfig/cc_ssh.py +++ b/cloudinit/CloudConfig/cc_ssh.py @@ -66,6 +66,8 @@ def handle(name,cfg,cloud,log,args): genkeys+='ssh-keygen -f /etc/ssh/ssh_host_ecdsa_key -t ecdsa -N ""; ' subprocess.call(('sh', '-c', "{ %s } </dev/null" % (genkeys))) + util.restorecon_if_possible('/etc/ssh', recursive=True) + try: user = util.get_cfg_option_str(cfg,'user') disable_root = util.get_cfg_option_bool(cfg, "disable_root", True) diff --git a/cloudinit/SshUtil.py b/cloudinit/SshUtil.py index bc699a61..fdd3bb27 100644 --- a/cloudinit/SshUtil.py +++ b/cloudinit/SshUtil.py @@ -147,6 +147,7 @@ def setup_user_keys(keys, user, key_prefix, log=None): util.write_file(authorized_keys, content, 0600) os.chown(authorized_keys, pwent.pw_uid, pwent.pw_gid) + util.restorecon_if_possible(ssh_dir, recursive=True) os.umask(saved_umask) diff --git a/cloudinit/util.py b/cloudinit/util.py index 68ce674e..744fb71e 100644 --- a/cloudinit/util.py +++ b/cloudinit/util.py @@ -28,6 +28,12 @@ import time import traceback import re +try: + import selinux + HAVE_LIBSELINUX = True +except ImportError: + HAVE_LIBSELINUX = False + def read_conf(fname): try: stream = open(fname,"r") @@ -113,6 +119,11 @@ def write_file(file,content,mode=0644,omode="wb"): os.chmod(file,mode) f.write(content) f.close() + restorecon_if_possible(file) + +def restorecon_if_possible(path, recursive=False): + if HAVE_LIBSELINUX and selinux.is_selinux_enabled(): + selinux.restorecon(path, recursive=recursive) # get keyid from keyserver def getkeybyid(keyid,keyserver): |