Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[POC] apply explicit SELinux label on tempfile in copy #80302

Closed
wants to merge 1 commit into from

Conversation

nitzmahone
Copy link
Member

SUMMARY

fixes #80269

SELinux labels are only applied at the final stage of the copy module, however, the system policy may require a specific context for the file accessed by the process in the validate step, which will not be present on the intermediate tempfile that validate is run against. This change applies explicitly-set SELinux labels (including _default to use the policy default) to the tempfile when validate is used (consistent with the other permissions/ownership things we were already doing).

ISSUE TYPE
  • Bugfix Pull Request
COMPONENT NAME

copy.py

@ansibot ansibot added WIP This issue/PR is a work in progress. Nevertheless it was shared for getting input from peers. affects_2.15 bug This issue/PR relates to a bug. has_issue module This issue/PR relates to a module. needs_triage Needs a first human triage before being processed. small_patch labels Mar 24, 2023
@nitzmahone
Copy link
Member Author

(looks like there's some test failures from moving the load_file_common_args call around, so if we proceed, may need to refactor some of that to avoid whatever issues that's inducing)

@mkrizek mkrizek removed the needs_triage Needs a first human triage before being processed. label Mar 28, 2023
@ansibot ansibot added the stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. label Apr 5, 2023
@ansibot ansibot added the needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. label Jul 12, 2023
@webknjaz

This comment was marked as resolved.

This comment was marked as resolved.

@webknjaz
Copy link
Member

This branch needs rebasing for the CI to pick it up.

@webknjaz webknjaz added the ci_verified Changes made in this PR are causing tests to fail. label May 30, 2024
@ansibot ansibot removed the stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. label May 30, 2024
secontext = file_args['secontext']

if secontext and any(secontext): # only bother if any of the context attributes were specified
module.set_context_if_different(src, secontext, False)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in cases the tempfile is not in the same folder, this might fail, so i would make this 'best effort'

@ansibot ansibot added the stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. label Jun 13, 2024
@ansibot ansibot added the needs_rebase https://docs.ansible.com/ansible/devel/dev_guide/developing_rebasing.html label Dec 13, 2024
@ansibot ansibot added the stale_pr This PR has not been pushed to for more than one year. label Jan 28, 2025
@nitzmahone nitzmahone closed this Feb 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
affects_2.15 bug This issue/PR relates to a bug. ci_verified Changes made in this PR are causing tests to fail. has_issue module This issue/PR relates to a module. needs_rebase https://docs.ansible.com/ansible/devel/dev_guide/developing_rebasing.html needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. stale_pr This PR has not been pushed to for more than one year. WIP This issue/PR is a work in progress. Nevertheless it was shared for getting input from peers.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

template validation fails because of SELinux errors
5 participants