fs: Add restorecon to fs utility

We need to handle selinx contexts properly to prevent AVCs.
next-actions · Sep 19, 2024 · d368988 · d368988
1 parent f935c8a
commit d368988
Showing 1 changed file with 26 additions and 0 deletions.
diff --git a/pytest_mh/utils/fs.py b/pytest_mh/utils/fs.py
@@ -85,6 +85,7 @@ def mkdir(self, path: str, *, mode: str | None = None, user: str | None = None,
             """,
             log_level=ProcessLogLevel.Error,
         )
+        self.restorecon(path)
 
     def mkdir_p(
         self, path: str, *, mode: str | None = None, user: str | None = None, group: str | None = None
@@ -113,6 +114,7 @@ def mkdir_p(
             """,
             log_level=ProcessLogLevel.Error,
         )
+        self.restorecon(path)
 
         if result.stdout and result.stdout != path:
             if not backup_exists:
@@ -276,6 +278,7 @@ def write(
             input=contents,
             log_level=ProcessLogLevel.Error,
         )
+        self.restorecon(path)
 
     def append(
         self,
@@ -342,6 +345,7 @@ def touch(
             """,
             log_level=ProcessLogLevel.Error,
         )
+        self.restorecon(path)
 
     def truncate(
         self,
@@ -404,6 +408,7 @@ def copy(
             """,
             log_level=ProcessLogLevel.Error,
         )
+        self.restorecon(dstpath)
 
     def upload(
         self,
@@ -447,6 +452,7 @@ def upload(
             input=encoded,
             log_level=ProcessLogLevel.Error,
         )
+        self.restorecon(remote_path)
 
     def upload_to_tmp(
         self,
@@ -757,3 +763,23 @@ def sed(self, command: str, path: str, args: list[str] | None = None) -> Process
         self.logger.info(f"Running sed {command} on {path}")
         args = args if args else []
         return self.host.conn.exec(["sed", *args, command, path], log_level=ProcessLogLevel.Error)
+
+    def restorecon(self, path: str) -> bool:
+        """
+        Restore selinux context on a file or directory.
+        Does nothing when restorecon is not present on os without selinux.
+
+        :param path: File or directory where changes will happen
+        :type path: str
+        :return: True if restorecon succeeded
+        :rtype: bool
+        """
+        if self.exists("/usr/sbin/restorecon"):
+            self.logger.info(f"Running restorecon -rvF on {path}")
+            result = self.host.conn.exec(
+                ["restorecon", "-rvF", path], log_level=ProcessLogLevel.Error, raise_on_error=False
+            )
+            return result.rc == 0
+        else:
+            self.logger.info("Binary restorecon is missing.")
+        return False