Vh6 6ddlmZmZmZeZdZdZdZddl Z ddl m Z m Z ddl mZdZ ddlZdZdZ ddlZdZersej.j1ej2ej4ej6ej8ej:ej<ej>ej@ e!d d d ddddd Z"ddZ#dZ$dZ%ddZ&ddZ'dZ(e)dk(re(yy#e$re j&Zd ZYwxYw#e$re j&Zd ZYwxYw))absolute_importdivisionprint_functional module: sefcontext short_description: Manages SELinux file context mapping definitions description: - Manages SELinux file context mapping definitions. - Similar to the C(semanage fcontext) command. extends_documentation_fragment: - community.general.attributes - community.general.attributes.platform attributes: check_mode: support: full diff_mode: support: full platform: platforms: linux options: target: description: - Target path (expression). type: str required: true aliases: [path] ftype: description: - The file type that should have SELinux contexts applied. - 'The following file type options are available:' - V(a) for all files, - V(b) for block devices, - V(c) for character devices, - V(d) for directories, - V(f) for regular files, - V(l) for symbolic links, - V(p) for named pipes, - V(s) for socket files. type: str choices: [a, b, c, d, f, l, p, s] default: a setype: description: - SELinux type for the specified O(target). type: str substitute: description: - Path to use to substitute file context(s) for the specified O(target). The context labeling for the O(target) subtree is made equivalent to this path. - This is also referred to as SELinux file context equivalence and it implements the C(equal) functionality of the SELinux management tools. version_added: 6.4.0 type: str aliases: [equal] seuser: description: - SELinux user for the specified O(target). - Defaults to V(system_u) for new file contexts and to existing value when modifying file contexts. type: str selevel: description: - SELinux range for the specified O(target). - Defaults to V(s0) for new file contexts and to existing value when modifying file contexts. type: str aliases: [serange] state: description: - Whether the SELinux file context must be V(absent) or V(present). - Specifying V(absent) without either O(setype) or O(substitute) deletes both SELinux type or path substitution mappings that match O(target). type: str choices: [absent, present] default: present reload: description: - Reload SELinux policy after commit. - Note that this does not apply SELinux file contexts to existing files. type: bool default: true ignore_selinux_state: description: - Useful for scenarios (chrooted environment) that you cannot get the real SELinux state. type: bool default: false notes: - The changes are persistent across reboots. - O(setype) and O(substitute) are mutually exclusive. - If O(state=present) then one of O(setype) or O(substitute) is mandatory. - The M(community.general.sefcontext) module does not modify existing files to the new SELinux context(s), so it is advisable to first create the SELinux file contexts before creating files, or run C(restorecon) manually for the existing files that require the new SELinux file contexts. - Not applying SELinux fcontexts to existing files is a deliberate decision as it would be unclear what reported changes would entail to, and there is no guarantee that applying SELinux fcontext does not pick up other unrelated prior changes. requirements: - libselinux-python - policycoreutils-python author: - Dag Wieers (@dagwieers) a  - name: Allow apache to modify files in /srv/git_repos community.general.sefcontext: target: '/srv/git_repos(/.*)?' setype: httpd_sys_rw_content_t state: present - name: Substitute file contexts for path /srv/containers with /var/lib/containers community.general.sefcontext: target: /srv/containers substitute: /var/lib/containers state: present - name: Delete file context path substitution for /srv/containers community.general.sefcontext: target: /srv/containers substitute: /var/lib/containers state: absent - name: Delete any file context mappings for path /srv/git community.general.sefcontext: target: /srv/git state: absent - name: Apply new SELinux file context to filesystem ansible.builtin.command: restorecon -irv /srv/git_repos z # Default return values N) AnsibleModulemissing_required_lib) to_nativeTF)abcdflpsz all filesz block devicezcharacter device directoryz regular filez symbolic linkz named pipesocketc6|durdStjS)NT)selinuxis_selinux_enabled)ignore_selinux_states p/home/dcms/DCMS/lib/python3.12/site-packages/ansible_collections/community/general/plugins/modules/sefcontext.pyget_runtime_statusrs'4/4QW5O5O5QQcb|t|f}|j} ||S#t$rYywxYw)z` Get the SELinux file context mapping definition from policy. Return None if it does not exist. N)option_to_file_type_strget_allKeyError) sefcontexttargetftyperecordrecordss rsemanage_fcontext_existsr#sC-e4 5F  "Gv s " ..cl|jj||jj|S)zj Get the SELinux file context path substitution definition from policy. Return None if it does not exist. ) equiv_distgetequiv)rrs r#semanage_fcontext_substitute_existsr(s.  $ $VZ-=-=-A-A&-I JJrc dd} d} tj| } | j||t| ||} | r| \}}}}||}||}||k7s ||k7s||k7rW|js| j |||||d} |j r'| dz } | d|d|d|d|d|d|d z } | d |d|d|d|d|d|d z } n|d }|d }|js| j|||||d} |j r| d z } | d |d|d|ddd|d|d z } nt| |} | rQ| }||k7r|js| j||d} |j r[| dz } | d|d|d z } | d |d|d z } n=|js| j||d} |j r| dz } | d |d|d z } |j r| rt!| |d<|j"d| ||d|y#t$r?}|j|jjdt|d Yd}~wd}~wwxYw)zF Add or modify SELinux file context mapping definition to the policy. FNTz+# Change to semanage file context mappings - : +system_us0z-# Addition to semanage file context mappings object_rz5# Change to semanage file context path substitutions  = z7# Addition to semanage file context path substitutions : msgprepareddiff)changedseuserserange)seobjectfcontextRecords set_reloadr# check_modemodify_diffaddr( modify_equal add_equal Exception fail_json __class____name__rdict exit_json)moduleresultrr setype substitute do_reloadr<r;sestorer: prepared_diffrexists orig_seuser orig_serole orig_setype orig_serangeorig_substitutees rsemanage_fcontext_modifyr[sGM>P--g6 i(  -j&%HFFLC [+|>(F?*G[(Fk,AWP\E\!,,"))&&%&Q"G||%)WW %VUZ\gitwBDP*QQ %VUZ\bdoqwzA*BB >'F?"G((NN665'6J<<!%UUM!QVX^`jlrt{%||M8VLF"(0!,,"// C"G||%)aa %)QQ %)LL ((((<<<!%__M!VZ%HHM || }5vFOWVWOO P1;;+?+?1NOOPsF-G'' H/05H**H/cd}d} tj|} | j|t| ||} t | |} | r^|\| \} }}}|j s| j ||d}|jr)| dz } | d|d|d| dd | d d | d d | d d z } | rJ|H|| |k(s|?| }|j s| j ||d}|jr| dz } | d|d|d z } |jr| rt| |d<|jdd|i|y#t$r?}|j|jjdt|d Yd}~ud}~wwxYw)zA Delete SELinux file context mapping definition from the policy. Fr*NTz-# Deletion to semanage file context mappings r+r,rr-r.z7# Deletion to semanage file context path substitutions r3r4r5r7r9r:r=)r>r?r@r#r(rAdeleterCrGrHrIrJrrKrL)rMrNrr rOrPrQrRr:rSrrTsubstitute_existsrUrVrWrXrYrZs rsemanage_fcontext_deleterbsGMP--g6 i()*feD? FS j(BH ?Kk<$$!!&%0G||!QQ VUTZ[\T]_efg_hjpqrjsu{|}u~! j6LQbfpQpuvH/O$$!!&/:G||![[ !II || }5vF/W// P1;;+?+?1NOOPsC+D## E+,5E&&E+ctttddtdddgtddttj  td tdd g td tdd g tddddg tdd gddgd}t s |j tdtts |j tdt|jd}t|s|j d|jd}|jd}|jd}|jd}|jd}|jd}|jd }|jd!} t|||||"} |dk(rt|| ||||| || y|dk(rt|| ||||| y|j d#j|y)$NboolF)typedefaultstrTpath)rerequiredaliasesr )rerfchoices)reequal)rerjr<presentabsent) rrr rOrPr;selevelstatereload)rOrP)rPr )rPr;)rPro)rprmrrT) argument_specmutually_exclusive required_ifsupports_check_modezlibselinux-python)r6 exceptionzpolicycoreutils-pythonrz!SELinux is disabled on this host.r5rr rOrPr;rorprq)rr rOrPrpz&Invalid value of argument "state": {0})rrKlistrkeys HAVE_SELINUXrHrSELINUX_IMP_ERR HAVE_SEOBJECTSEOBJECT_IMP_ERRparamsrr[rbformat) rMrrr rOrPr;r<rprQrNs rmainrHs !%65!AUTF8DE3=T=Y=Y=[8\]U# :U#ei[9E9x>STVT2    A !-F0 12EFRab 12JKWgh!==)?@ 2 3@A ]]8 $F MM' "E ]]8 $F|,J ]]8 $FmmI&G MM' "E h'I uV Z_ `F   T]_fhno (   T]^ELLUSTr__main__)F)r*)* __future__rrrre __metaclass__ DOCUMENTATIONEXAMPLESRETURN tracebackansible.module_utils.basicrr+ansible.module_utils.common.text.convertersrr{rrz ImportError format_excr}r>r| file_typesupdateSEMANAGE_FCONTEXT_ALLSEMANAGE_FCONTEXT_BLOCKSEMANAGE_FCONTEXT_CHARSEMANAGE_FCONTEXT_DIRSEMANAGE_FCONTEXT_REGSEMANAGE_FCONTEXT_LINKSEMANAGE_FCONTEXT_PIPESEMANAGE_FCONTEXT_SOCKrKrrr#r(r[rbrrJr=rrrsnA@ _ B 8 JAL M    ( (  * *  ) )  ( (  ( (  ) )  ) )  ) )  R K IPX(0V4Un zFU*i**,OL+y++-Ms"CC=C:9C:=DD