Ensure files created by authorized_key have correct selinux context

Three changes:
* Add set_default_selinux_context() to module_common that sets
  a file's context according to the defaults in the policy
* In atomic_replace(), set the default context for the file if
  selinux is enabled and the destination file does not exist.
* In authorized_key, set the default context when creating
  $HOME/.ssh and $HOME/.ssh/authorized_keys.  If these already
  exist, this won't touch them.
reviewable/pr18780/r1
Stephen Fromm 12 years ago
parent 393079d5e4
commit d8e3a00933

@ -97,6 +97,8 @@ def keyfile(module, user, write=False):
if not os.path.exists(sshdir): if not os.path.exists(sshdir):
os.mkdir(sshdir, 0700) os.mkdir(sshdir, 0700)
if module.selinux_enabled():
module.set_default_selinux_context(sshdir, False)
os.chown(sshdir, uid, gid) os.chown(sshdir, uid, gid)
os.chmod(sshdir, 0700) os.chmod(sshdir, 0700)
@ -105,6 +107,8 @@ def keyfile(module, user, write=False):
f = open(keysfile, "w") #touches file so we can set ownership and perms f = open(keysfile, "w") #touches file so we can set ownership and perms
finally: finally:
f.close() f.close()
if module.selinux_enabled():
module.set_default_selinux_context(keysfile, False)
os.chown(keysfile, uid, gid) os.chown(keysfile, uid, gid)
os.chmod(keysfile, 0600) os.chmod(keysfile, 0600)

Loading…
Cancel
Save