In order to support existing systems which mount selinuxfs under '/selinux' and those that do not -- starting with Fedora 16 the selinuxfs will be mounted under '/sys/fs/selinux' -- this patch changes the selinux mount point from a static value of '/selinux' to the results returned from searching '/proc/self/mountinfo'.
Signed-off-by: Kelsey Hightower <[email protected]> --- Local-branch: ticket/master/8964 lib/facter/selinux.rb | 109 +++++++++++++++++++++++++++--------------------- 1 files changed, 61 insertions(+), 48 deletions(-) diff --git a/lib/facter/selinux.rb b/lib/facter/selinux.rb index 1555da0..62000d7 100644 --- a/lib/facter/selinux.rb +++ b/lib/facter/selinux.rb @@ -10,69 +10,82 @@ # Fact for SElinux # Written by immerda admin team (admin(at)immerda.ch) -Facter.add("selinux") do - confine :kernel => :linux +sestatus_cmd = '/usr/sbin/sestatus' + +# This supports the fact that the selinux mount point is not always in the +# same location -- the selinux mount point is operating system specific. +def selinux_mount_point + if FileTest.exists?('/proc/self/mountinfo') + File.open('/proc/self/mountinfo') do |f| + f.grep(/selinuxfs/) do |line| + line.split[4] + end + end + end +end - setcode do - result = "false" - if FileTest.exists?("/selinux/enforce") - if FileTest.exists?("/proc/self/attr/current") - if (File.read("/proc/self/attr/current") != "kernel\0") - result = "true" - end - end +Facter.add("selinux") do + confine :kernel => :linux + setcode do + result = "false" + if FileTest.exists?("#{selinux_mount_point}/enforce") + if FileTest.exists?("/proc/self/attr/current") + if (File.read("/proc/self/attr/current") != "kernel\0") + result = "true" end - result + end end + result + end end Facter.add("selinux_enforced") do - confine :selinux => :true - - setcode do - result = "false" - if FileTest.exists?("/selinux/enforce") and File.read("/selinux/enforce") =~ /1/i - result = "true" - end - result + confine :selinux => :true + setcode do + result = "false" + if FileTest.exists?("#{selinux_mount_point}/enforce") and + File.read("#{selinux_mount_point}/enforce") =~ /1/i + result = "true" end + result + end end Facter.add("selinux_policyversion") do - confine :selinux => :true - setcode do - File.read("/selinux/policyvers") - end + confine :selinux => :true + setcode do + File.read("#{selinux_mount_point}/policyvers") + end end Facter.add("selinux_current_mode") do - confine :selinux => :true - setcode do - result = 'unknown' - mode = Facter::Util::Resolution.exec('/usr/sbin/sestatus') - mode.each_line { |l| result = $1 if l =~ /^Current mode\:\s+(\w+)$/i } - result.chomp - end + confine :selinux => :true + setcode do + result = 'unknown' + mode = Facter::Util::Resolution.exec(sestatus_cmd) + mode.each_line { |l| result = $1 if l =~ /^Current mode\:\s+(\w+)$/i } + result.chomp + end end Facter.add("selinux_config_mode") do - confine :selinux => :true - setcode do - result = 'unknown' - mode = Facter::Util::Resolution.exec('/usr/sbin/sestatus') - mode.each_line { |l| result = $1 if l =~ /^Mode from config file\:\s+(\w+)$/i } - result.chomp - end + confine :selinux => :true + setcode do + result = 'unknown' + mode = Facter::Util::Resolution.exec(sestatus_cmd) + mode.each_line { |l| result = $1 if l =~ /^Mode from config file\:\s+(\w+)$/i } + result.chomp + end end Facter.add("selinux_config_policy") do - confine :selinux => :true - setcode do - result = 'unknown' - mode = Facter::Util::Resolution.exec('/usr/sbin/sestatus') - mode.each_line { |l| result = $1 if l =~ /^Policy from config file\:\s+(\w+)$/i } - result.chomp - end + confine :selinux => :true + setcode do + result = 'unknown' + mode = Facter::Util::Resolution.exec(sestatus_cmd) + mode.each_line { |l| result = $1 if l =~ /^Policy from config file\:\s+(\w+)$/i } + result.chomp + end end # This is a legacy fact which returns the old selinux_mode fact value to prevent @@ -80,8 +93,8 @@ end # See ticket #6677. Facter.add("selinux_mode") do - confine :selinux => :true - setcode do - Facter.value(:selinux_config_policy) - end + confine :selinux => :true + setcode do + Facter.value(:selinux_config_policy) + end end -- 1.7.4.4 -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
