All further code assumes that a connection object has been created and the default namespace (root/cimv2) is used. Also, the LMI_SELinuxService instance must have been acquired.
c = connect("https://myhost", "user", "secret")
service = c.root.cimv2.LMI_SELinuxService.first_instance()
system = c.root.cimv2.PG_ComputerSystem.first_instance()
As a convenience helper function for further use, lmi_unixfile_instance_name is defined. It provides an easy way to get file references for methods that require an LMI_UnixFile reference as a parameter.
def lmi_unixfile_instance_name(path):
props = {"CSName":system.name,
"CSCreationClassName":system.classname,
"FSCreationClassName":"ignored",
"FSName":"ignored",
"LFCreationClassName":"ignored",
"LFName":path}
return c.root.cimv2.LMI_UnixFile.new_instance_name(props)
General information about SELinux is available via the service instance:
def state_to_str(state):
if state == 0: return "Disabled"
elif state == 1: return "Permissive"
elif state == 2: return "Enabled"
else: return "Unknown"
print "Policy version: %s" % service.PolicyVersion
print "Policy type: %s" % service.PolicyType
print "Current state: %s" % state_to_str(service.SELinuxState)
print "Persistent state: %s" % state_to_str(service.SELinuxDefaultState)
Set service state, for example, set the default (persistent) state to Enforcing:
# 2 == Enforcing
service.SetSELinuxState({"NewState":2,
"MakeDefault":True})
List all booleans and print their current and default values:
booleans = c.root.cimv2.LMI_SELinuxBoolean.instances()
for boolean in booleans:
print "%-50s (%s, %s)" % (boolean.ElementName, boolean.State, boolean.DefaultState)
To enable the httpd_use_sasl boolean in the current runtime, but not permanently:
target = c.root.cimv2.LMI_SELinuxBoolean.new_instance_name({"InstanceID":"LMI:LMI_SELinuxBoolean:httpd_use_sasl"})
res = service.SetBoolean({"Target":target,
"Value":True,
"MakeDefault":False})
List all ports:
ports = c.root.cimv2.LMI_SELinuxPort.instances()
for port in sorted(ports):
print "%-30s %-10s %s" % (port.ElementName,
"tcp" if port.Protocol else "udp",
", ".join(port.Ports))
Label the TCP port 8080 with `http_port_t`:
target = c.root.cimv2.LMI_SELinuxPort.new_instance_name({"InstanceID":"LMI:LMI_SELinuxPort:TCP:http_port_t"})
service.SetPortLabel({"Target":target,
"PortRange":"8080"})
It is also possible to specify PortRange as an actual range, for example "8080-8090".
To see what SELinux context a file holds, the LogicalFile provider is used:
target = lmi_unixfile_instance_name("/tmp/file")
file = target.to_instance()
print file.SELinuxCurrentContext
print file.SELinuxExpectedContext
Set a file context:
target = lmi_unixfile_instance_name("/root")
service.SetFileLabel({"Target":target,
"Label":"my_user_u:my_role_r:my_type_t"})
Restore SELinux contexts of all the files in /etc/ recursively:
# 1 == Restore
target = lmi_unixfile_instance_name("/etc/")
service.RestoreLabels({"Target":target,
"Action":1,
"Recursively":True})