Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fs: Add restorecon to fs utility #85

Closed
wants to merge 1 commit into from
Closed

fs: Add restorecon to fs utility #85

wants to merge 1 commit into from

Conversation

jakub-vavra-cz
Copy link
Collaborator

The files/dirs created by the fs utility needs to have proper selinux context.

@jakub-vavra-cz jakub-vavra-cz force-pushed the restorecon branch 3 times, most recently from bd3485a to d368988 Compare September 19, 2024 11:45
ikerexxe
ikerexxe reviewed Oct 1, 2024
View reviewed changes
pytest_mh/utils/fs.py Outdated
def restorecon(self, path: str) -> bool:
"""
Restore selinux context on a file or directory.
Does nothing when restorecon is not present on os without selinux.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/on/in

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

pytest_mh/utils/fs.py
:param path: File or directory where changes will happen
:type path: str
:return: True if restorecon succeeded
:rtype: bool
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am concerned that this function will return False if restorecon is not present in the system, as this may be seen as an error by the caller. I wonder if this shouldn't be an int/enum type, which will help us detect different types of scenarios.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The idea is that this will be noop on distros without selinux.
If we need to make sure that restorecon exists the fs utility can already do that before calling this.
We do not need to complicate this one.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Current implementation isn't a noop as any caller checking the return value for this method where SELinux isn't present would get a False value and this could be interpreted as a failure. If we are to return a boolean, then the non-SELinux case should return True

@jakub-vavra-cz
fs: Add restorecon to fs utility
b2366f2 
We need to handle selinx contexts properly to prevent AVCs.
@pbrezina
Copy link
Contributor

pbrezina commented Oct 2, 2024

I wouldn't merge this until we understand what happens and confirm that this will actually fix it. The problem was with /etc/krb5.conf, which we don't modify using the fs util, and it is present only in FIPS mode. I would like to avoid binding this class to SELinux, unless it serves some use case.

@pbrezina
Copy link
Contributor

IIRC you said that everything works fine in FIPS mode yesterday, then this is not in fact needed. Please, reopen it if I understood it wrongly.

@pbrezina pbrezina closed this Oct 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ikerexxe ikerexxe ikerexxe left review comments

Assignees

@ikerexxe ikerexxe

@pbrezina pbrezina

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jakub-vavra-cz @pbrezina @ikerexxe