Please review pull request #646: (#8714) Process symlinks correctly during SELinux fs-type detection opened by (seanmil)
Description:
Symlinks support SELinux file labels independent of the target
file or the capabilities of the target filesystem. This corrects
the filesystem detection used to determine if a file should support
a SELinux label to properly support symlinks which exist on capable
filesystems that have a destination on non-capable filesystems.
This is my second take on this issue to address https://projects.puppetlabs.com/issues/8714 and replaces the incorrect fix proposed in https://github.com/puppetlabs/puppet/pull/563.
Thanks!
Sean
- Opened: Mon Apr 09 19:07:21 UTC 2012
- Based on: puppetlabs:master (d4646526905f78ad4e2027c5b1d069d446d926b4)
- Requested merge: seanmil:bug/8714-selinux_symlink_fix-v2 (ee0fad866bd9967b0ce0867c8994dc183c8fbdf8)
Diff follows:
diff --git a/lib/puppet/util/selinux.rb b/lib/puppet/util/selinux.rb
index 17c631b..b2a1a62 100644
--- a/lib/puppet/util/selinux.rb
+++ b/lib/puppet/util/selinux.rb
@@ -189,6 +189,16 @@ def find_fs(path)
end
# For a given file:
+ # If the file is a symlink, then we start processing with the
+ # parent directory. If the symlink points to another mount
+ # point and we call realpath() on it then we end up
+ # determining if the destination of the symlink can support
+ # SELinux when what we really want to know is if the
+ # filesystem where the symlink lives can support it.
+ if File.symlink?(path)
+ path = parent_directory(path)
+ end
+
# Check if the filename is in the data structure;
# return the fstype if it is.
# Just in case: return something if you're down to "/" or ""
diff --git a/spec/unit/util/selinux_spec.rb b/spec/unit/util/selinux_spec.rb
index 0eaf43c..a711219 100755
--- a/spec/unit/util/selinux_spec.rb
+++ b/spec/unit/util/selinux_spec.rb
@@ -67,10 +67,25 @@ def self.is_selinux_enabled
it "should follow symlinks when determining file systems" do
self.stubs(:realpath).with('/mnt/symlink/testfile').returns('/mnt/nfs/dest/testfile')
+ File.stubs(:symlink?).with('/mnt/symlink/testfile').returns(false)
selinux_label_support?('/mnt/symlink/testfile').should be_false
end
+ it "should check filesystem capability for the symlink, not the destination, on a capable filesystem" do
+ self.stubs(:realpath).with('/mnt').returns('/mnt')
+ File.stubs(:symlink?).with('/mnt/symlink').returns(true)
+
+ selinux_label_support?('/mnt/symlink').should be_true
+ end
+
+ it "should check filesystem capability for the symlink, not the destination, on a non-capable filesystem" do
+ self.stubs(:realpath).with('/mnt/symlink').returns('/mnt/nfs/dest')
+ File.stubs(:symlink?).with('/mnt/symlink/testsymlink').returns(true)
+
+ selinux_label_support?('/mnt/symlink/testsymlink').should be_false
+ end
+
end
describe "realpath" do
-- You received this message because you are subscribed to the Google Groups "Puppet Developers" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to [email protected].
For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
