From ba5fb03646f6318a0ace286da746b4bb32f75d5a Mon Sep 17 00:00:00 2001 From: harlowja Date: Thu, 21 Jun 2012 23:35:07 -0700 Subject: Fixup python selinux guards, only try to restore after we check if its useful to restore, fix test to work with selinux enabled sysystems --- cloudinit/stages.py | 20 ++++++++++++-------- cloudinit/util.py | 26 +++++++++++++++++--------- 2 files changed, 29 insertions(+), 17 deletions(-) (limited to 'cloudinit') diff --git a/cloudinit/stages.py b/cloudinit/stages.py index 25f13fd4..cf5e6924 100644 --- a/cloudinit/stages.py +++ b/cloudinit/stages.py @@ -221,11 +221,12 @@ class Init(object): (cfg_list, pkg_list) = self._get_datasources() # Deep copy so that user-data handlers can not modify # (which will affect user-data handlers down the line...) - sys_cfg = copy.deepcopy(self.cfg) - ds_deps = copy.deepcopy(self.ds_deps) - (ds, dsname) = sources.find_source(sys_cfg, self.distro, + (ds, dsname) = sources.find_source(self.cfg, + self.distro, self.paths, - ds_deps, cfg_list, pkg_list) + copy.deepcopy(self.ds_deps), + cfg_list, + pkg_list) LOG.debug("Loaded datasource %s - %s", dsname, ds) if ds: self.datasource = ds @@ -408,7 +409,7 @@ class Modules(object): def __init__(self, init, cfg_files=None): self.datasource = init.datasource self.cfg_files = cfg_files - self.base_cfg = copy.deepcopy(init.cfg) + self.base_cfg = init.cfg self.init = init # Created on first use self._cached_cfg = None @@ -419,7 +420,8 @@ class Modules(object): if self._cached_cfg is None: self._cached_cfg = self._get_config() LOG.debug("Loading 'module' config %s", self._cached_cfg) - return self._cached_cfg + # Only give out a copy so that others can't modify this... + return copy.deepcopy(self._cached_cfg) def _get_config(self): t_cfgs = [] @@ -531,9 +533,11 @@ class Modules(object): LOG.warn(("Module %s is verified on %s distros" " but not on %s distro. It may or may not work" " correctly."), name, worked_distros, d_name) - # Deep copy the config so that modules can't alter it # Use the configs logger and not our own - func_args = [name, copy.deepcopy(self.cfg), + # TODO: possibly check the module + # for having a LOG attr and just give it back + # its own logger? + func_args = [name, self.cfg, cc, config.LOG, args] # Mark it as having started running am_ran += 1 diff --git a/cloudinit/util.py b/cloudinit/util.py index 3aa4e462..332b8379 100644 --- a/cloudinit/util.py +++ b/cloudinit/util.py @@ -35,6 +35,7 @@ import pwd import random import shutil import socket +import stat import string # pylint: disable=W0402 import subprocess import sys @@ -132,14 +133,24 @@ class SeLinuxGuard(object): self.enabled = True def __enter__(self): - # TODO: Should we try to engage selinux here?? return self.enabled def __exit__(self, excp_type, excp_value, excp_traceback): if self.enabled: - LOG.debug("Restoring selinux mode for %s (recursive=%s)", - self.path, self.recursive) - selinux.restorecon(self.path, recursive=self.recursive) + path = os.path.realpath(os.path.expanduser(self.path)) + do_restore = False + try: + # See if even worth restoring?? + stats = os.lstat(path) + if stat.ST_MODE in stats: + selinux.matchpathcon(path, stats[stat.ST_MODE]) + do_restore = True + except OSError: + pass + if do_restore: + LOG.debug("Restoring selinux mode for %s (recursive=%s)", + path, self.recursive) + selinux.restorecon(path, recursive=self.recursive) class MountFailedError(Exception): @@ -1067,8 +1078,7 @@ def ensure_dir(path, mode=None): if not os.path.isdir(path): # Make the dir and adjust the mode LOG.debug("Ensuring directory exists at path %s", path) - # TODO: check if guard needed?? - with SeLinuxGuard(path=os.path.dirname(path)): + with SeLinuxGuard(os.path.dirname(path), recursive=True): os.makedirs(path) chmod(path, mode) else: @@ -1222,8 +1232,7 @@ def chmod(path, mode): if path and real_mode: LOG.debug("Adjusting the permissions of %s (perms=%o)", path, real_mode) - # TODO: check if guard needed?? - with SeLinuxGuard(path=path): + with SeLinuxGuard(path): os.chmod(path, real_mode) @@ -1239,7 +1248,6 @@ def write_file(filename, content, mode=0644, omode="wb"): """ ensure_dir(os.path.dirname(filename)) LOG.debug("Writing to %s - %s, %s bytes", filename, omode, len(content)) - # TODO: check if guard needed?? with SeLinuxGuard(path=filename): with open(filename, omode) as fh: fh.write(content) -- cgit v1.2.3