Compare commits
36 Commits
yum-suppor
...
v1.1.0
| Author | SHA1 | Date | |
|---|---|---|---|
0e577bebc5
|
|||
|
6305fd053b
|
|||
|
5e5b77ed5e
|
|||
|
cd33f98b8b
|
|||
|
7ac103033c
|
|||
|
3ac30e5539
|
|||
|
39a61aeddd
|
|||
|
aafe46d429
|
|||
|
aae85806c1
|
|||
|
0ea7804427
|
|||
|
688af9ac62
|
|||
|
06ad5bde9e
|
|||
|
ac1a0baf92
|
|||
|
214ec6abad
|
|||
|
f5adcbc140
|
|||
|
5a20f43255
|
|||
|
a0a58c46d9
|
|||
|
3e3252ed48
|
|||
|
9eebd56869
|
|||
|
5d5947c99e
|
|||
|
afa616916d
|
|||
|
fd66a30de4
|
|||
|
994b93e3b4
|
|||
|
8a29ab82b0
|
|||
|
13e56c6d56
|
|||
|
4ca971687b
|
|||
|
eca94f40d9
|
|||
|
81dfa5567e
|
|||
|
b1c520b257
|
|||
|
712a4e986f
|
|||
|
32b98e4dbc
|
|||
|
44088bd64b
|
|||
|
aadd0e2641
|
|||
|
1322918dcc
|
|||
| 79dd24809d | |||
| 04cbedb9c0 |
16
bin/sau
16
bin/sau
@ -1,4 +1,4 @@
|
||||
#!/usr/bin/env python3.6
|
||||
#!/usr/bin/env python3.7
|
||||
import configparser
|
||||
import logging
|
||||
import logging.handlers
|
||||
@ -12,7 +12,7 @@ import sau.services
|
||||
import sau.platforms
|
||||
|
||||
def init():
|
||||
sau.config = configparser.SafeConfigParser()
|
||||
sau.config = configparser.ConfigParser()
|
||||
conf = sau.config
|
||||
|
||||
if platform.system() == 'FreeBSD':
|
||||
@ -46,6 +46,12 @@ def init():
|
||||
|
||||
def fork_and_reboot():
|
||||
log = logging.getLogger(sau.LOGNAME)
|
||||
if os.path.exists('/proc/1/comm'):
|
||||
with open('/proc/1/comm', 'r') as f:
|
||||
if f.readline().strip() == 'systemd':
|
||||
os.execl('/usr/bin/systemctl', 'reboot')
|
||||
log.error("Failed to execl?")
|
||||
sys.exit(1)
|
||||
try:
|
||||
pid = os.fork()
|
||||
if pid != 0:
|
||||
@ -99,16 +105,16 @@ def main():
|
||||
reboot_required = platform.system_upgrade()
|
||||
|
||||
if conf.getboolean('default', 'do_package_upgrade', fallback=True):
|
||||
platform.pkg_upgrade()
|
||||
reboot_required = reboot_required or platform.pkg_upgrade()
|
||||
|
||||
if conf.getboolean('default', 'do_service_restart', fallback=True):
|
||||
reboot_recommended = sau.services.restart_services()
|
||||
|
||||
if conf.getboolean('default', 'do_reboot', fallback=False):
|
||||
if reboot_required:
|
||||
log.warning('Rebooting because of a system upgrade')
|
||||
log.info('Rebooting because of a system upgrade')
|
||||
elif reboot_recommended:
|
||||
log.warning('Rebooting because service restarts did not close all deleted files')
|
||||
log.info('Rebooting because service restarts did not close all deleted files')
|
||||
if reboot_required or reboot_recommended:
|
||||
fork_and_reboot()
|
||||
|
||||
|
||||
20
config.cfg
20
config.cfg
@ -16,9 +16,14 @@ version_sensitivity=1
|
||||
# not close all deleted files (any platform)
|
||||
do_reboot=no
|
||||
|
||||
# FreeBSD system update (freebsd-update fetch install, not freebsd-update upgrade)
|
||||
# Attempt to do a system upgrade
|
||||
# FreeBSD: upgrade to latest patch version using freebsd-update fetch install
|
||||
# Gentoo: allow upgrade of sys-kernel/-packages, clean old kernels, and update grub-config
|
||||
do_system_upgrade=yes
|
||||
|
||||
# On Gentoo kernel upgrades, remove all but the last keep_kernels kernels from /boot
|
||||
keep_kernels=4
|
||||
|
||||
# upgrade packages
|
||||
do_package_upgrade=yes
|
||||
|
||||
@ -30,6 +35,9 @@ default_service_policy=ignore
|
||||
# do depclean on Gentoo
|
||||
do_depclean=yes
|
||||
|
||||
# do eix-sync on Gentoo
|
||||
do_reposync=yes
|
||||
|
||||
# to only write to stderr when something unexpected happens or manual action is required
|
||||
# set stderr_loglevel to warning
|
||||
stderr_loglevel=debug
|
||||
@ -41,12 +49,10 @@ syslog_loglevel=info
|
||||
# platform
|
||||
[packages]
|
||||
# Gentoo uses the category/package naming scheme
|
||||
dev-db/postgresql=2
|
||||
dev-db/postgresql=1
|
||||
|
||||
# Gentoo kernel stuff should be updated manually
|
||||
sys-kernel/gentoo-sources=-1
|
||||
sys-kernel/spl=-1
|
||||
sys-fs/zfs-kmod=-1
|
||||
# It's safer to upgrade zfs manually
|
||||
sys-fs/zfs-kmod=99
|
||||
|
||||
# FreeBSD uses the short package name (without category)
|
||||
gitlab=2
|
||||
@ -64,7 +70,7 @@ qemu-system-x86_64=
|
||||
#ruby24=puppetserver puppetdb
|
||||
|
||||
# The services section contains restart policy for specific services.
|
||||
# valid policies are 'ignore', 'warn', 'restart' and 'silent-restart'.
|
||||
# valid policies are 'ignore', 'warn', 'restart', 'silent-restart' and 'reboot'.
|
||||
# 'silent-restart' is like 'restart', but will not log a warning when
|
||||
# the service is restarted.
|
||||
[services]
|
||||
|
||||
@ -132,5 +132,14 @@ def pkg_upgrade():
|
||||
for line in err.splitlines():
|
||||
log.warning('stderr: {}'.format(line))
|
||||
|
||||
if conf.getboolean('default', 'do_depclean', fallback=False):
|
||||
cmd = [ PKG_PATH, 'autoremove', '-yq' ]
|
||||
ret, out, err = sau.helpers.exec_cmd(cmd, timeout=3600)
|
||||
if ret != 0 or err:
|
||||
log.warning('{} failed:'.format(' '.join(cmd)))
|
||||
for line in out.splitlines():
|
||||
log.warning('stdout: {}'.format(line))
|
||||
for line in err.splitlines():
|
||||
log.warning('stderr: {}'.format(line))
|
||||
return True
|
||||
|
||||
|
||||
120
sau/gentoo.py
120
sau/gentoo.py
@ -5,10 +5,13 @@ import re
|
||||
import sau
|
||||
import sau.helpers
|
||||
|
||||
EIX_UPDATE_PATH='/usr/bin/eix-update'
|
||||
EIX_SYNC_PATH='/usr/bin/eix-sync'
|
||||
RC_SERVICE_PATH='/sbin/rc-service'
|
||||
SYSTEMCTL='/usr/bin/systemctl'
|
||||
EMERGE_PATH='/usr/bin/emerge'
|
||||
EQUERY_PATH='/usr/bin/equery'
|
||||
EMAINT_PATH='/usr/sbin/emaint'
|
||||
GRUB_MKCONFIG='/usr/sbin/grub-mkconfig'
|
||||
|
||||
# parsing output from eix -Ttnc
|
||||
package_re = re.compile('^\[([^\]])\] ([^ ]*) \((.*)\): .*$')
|
||||
@ -18,18 +21,17 @@ slot_re = re.compile('^(\(~\))?([^\(]+)(\([^\)]+\))$')
|
||||
def identify_service_from_bin(exe):
|
||||
log = logging.getLogger(sau.LOGNAME)
|
||||
|
||||
init_script_re = re.compile(r'/etc/init\.d/(.*)')
|
||||
with open('/proc/1/comm', 'r') as f:
|
||||
if f.readline().strip() == 'systemd':
|
||||
init_script_re = re.compile(r'[^/]*(.*)\.service$')
|
||||
else:
|
||||
init_script_re = re.compile(r'/etc/init\.d/(.*)')
|
||||
|
||||
cmd = [ EQUERY_PATH, '-Cq', 'b', exe ]
|
||||
ret, out, err = sau.helpers.exec_cmd(cmd)
|
||||
|
||||
if ret != 0:
|
||||
log.warning("searching for owner of {} failed:".format(exe))
|
||||
for line in out.splitlines():
|
||||
log.warning("stdout: {}".format(line))
|
||||
for line in err.splitlines():
|
||||
log.warning("stderr: {}".format(line))
|
||||
return None
|
||||
raise sau.errors.UnknownServiceError("searching for owner of {} failed:".format(exe))
|
||||
|
||||
pkg = out.strip()
|
||||
cmd = [ EQUERY_PATH, '-Cq', 'f', pkg ]
|
||||
@ -48,9 +50,9 @@ def identify_service_from_bin(exe):
|
||||
if match:
|
||||
matches.add(match.group(1))
|
||||
if len(matches) < 1:
|
||||
log.warning('Could not find any init script in package {}'.format(pkg))
|
||||
raise sau.errors.UnknownServiceError('Could not find any init script in package {}'.format(pkg))
|
||||
elif len(matches) > 1:
|
||||
log.warning('Found multiple init script in package {}'.format(pkg))
|
||||
raise sau.errors.UnknownServiceError('Found multiple init script in package {}'.format(pkg))
|
||||
else:
|
||||
return matches.pop()
|
||||
return None
|
||||
@ -58,7 +60,11 @@ def identify_service_from_bin(exe):
|
||||
|
||||
def restart_service(service):
|
||||
log = logging.getLogger(sau.LOGNAME)
|
||||
cmd = [ RC_SERVICE_PATH, service, 'restart' ]
|
||||
with open('/proc/1/comm', 'r') as f:
|
||||
if f.readline().strip() == 'systemd':
|
||||
cmd = [ SYSTEMCTL, 'restart', service ]
|
||||
else:
|
||||
cmd = [ RC_SERVICE_PATH, service, 'restart' ]
|
||||
ret, out, err = sau.helpers.exec_cmd(cmd)
|
||||
|
||||
if ret != 0:
|
||||
@ -72,14 +78,18 @@ def restart_service(service):
|
||||
|
||||
def system_upgrade():
|
||||
log = logging.getLogger(sau.LOGNAME)
|
||||
log.debug('Gentoo has no concept of system upgrade, ignoring...')
|
||||
log.debug('Gentoo "system_upgrade" is done at package upgrade stage; ignoring here...')
|
||||
return False
|
||||
|
||||
def _sync_portage():
|
||||
log = logging.getLogger(sau.LOGNAME)
|
||||
|
||||
cmd = [ EMERGE_PATH, '-q', '--sync' ]
|
||||
ret, out, err = sau.helpers.exec_cmd(cmd, timeout=3600)
|
||||
if os.path.exists(EIX_SYNC_PATH):
|
||||
cmd = [ EIX_SYNC_PATH, '-q' ]
|
||||
ret, out, err = sau.helpers.exec_cmd(cmd, timeout=3600)
|
||||
else:
|
||||
cmd = [ EMERGE_PATH, '-q', '--sync' ]
|
||||
ret, out, err = sau.helpers.exec_cmd(cmd, timeout=3600)
|
||||
|
||||
if ret != 0:
|
||||
log.warning("Portage sync failed:")
|
||||
@ -88,34 +98,34 @@ def _sync_portage():
|
||||
for line in err.splitlines():
|
||||
log.warning("stderr: {}".format(line))
|
||||
|
||||
if os.path.exists(EIX_UPDATE_PATH):
|
||||
cmd = [ EIX_UPDATE_PATH, '-q' ]
|
||||
ret, out, err = sau.helpers.exec_cmd(cmd, timeout=3600)
|
||||
cmd = [ EMAINT_PATH, '-f', 'all' ]
|
||||
ret, out, err = sau.helpers.exec_cmd(cmd, timeout=3600)
|
||||
|
||||
if ret != 0:
|
||||
log.warning("emaint failed:")
|
||||
for line in out.splitlines():
|
||||
log.warning("stdout: {}".format(line))
|
||||
for line in err.splitlines():
|
||||
log.warning("stderr: {}".format(line))
|
||||
|
||||
|
||||
if ret != 0:
|
||||
log.warning("eix-update failed:")
|
||||
for line in out.splitlines():
|
||||
log.warning("stdout: {}".format(line))
|
||||
for line in err.splitlines():
|
||||
log.warning("stderr: {}".format(line))
|
||||
|
||||
|
||||
def pkg_upgrade():
|
||||
log = logging.getLogger(sau.LOGNAME)
|
||||
conf = sau.config
|
||||
do_system_upgrade = conf.getboolean('default', 'do_system_upgrade', fallback=False)
|
||||
|
||||
_sync_portage()
|
||||
if conf.getboolean('default', 'do_reposync', fallback=True):
|
||||
_sync_portage()
|
||||
|
||||
# [ebuild U ] media-plugins/alsa-plugins-1.1.8 [1.1.6]
|
||||
pretend_re = re.compile(r'^\[ebuild ([^\]]*)\] ([^ ]+)( \[[^\]]+\])?')
|
||||
# media-plugins/alsa-plugins-1.1.8
|
||||
version_re = re.compile(r'^(.*/.*)-(\d+.*)$')
|
||||
|
||||
pretend_re = re.compile(r'^\[(?:ebuild|binary) ([^\]]*)\] ([^ ]+?)-(\d[-\.\w]*)( \[[^\]]+\])?')
|
||||
ignore_re = re.compile(r'^(|.*caus.* rebuilds.*|.*scheduled for merge.*|.*waiting for lock on.*)$')
|
||||
|
||||
default_version_sens = conf.getint('default', 'version_sensitivity', fallback=1)
|
||||
|
||||
cmd = [ EMERGE_PATH, '--color', 'n', '-uDNpq', '@world' ]
|
||||
cmd = [ EMERGE_PATH, '--color', 'n', '-uDNpq', '--with-bdeps=y', '@world' ]
|
||||
ret, out, err = sau.helpers.exec_cmd(cmd)
|
||||
|
||||
if not ret == 0:
|
||||
@ -127,6 +137,7 @@ def pkg_upgrade():
|
||||
return False
|
||||
|
||||
do_rebuild = True
|
||||
do_grub = False
|
||||
for line in out.splitlines():
|
||||
if re.match(ignore_re, line):
|
||||
continue
|
||||
@ -136,28 +147,32 @@ def pkg_upgrade():
|
||||
continue
|
||||
status = match.group(1)
|
||||
name = match.group(2)
|
||||
old = match.group(3)
|
||||
new = match.group(3)
|
||||
old = match.group(4)
|
||||
if not old:
|
||||
continue
|
||||
old = old.strip(' []')
|
||||
nmatch = re.match(version_re, name)
|
||||
name = nmatch.group(1)
|
||||
version = nmatch.group(2)
|
||||
|
||||
sens = conf.getint('packages', name, fallback=default_version_sens)
|
||||
common = sau.helpers.version_diff(version, old)
|
||||
common = sau.helpers.version_diff(new, old)
|
||||
if sens <= common:
|
||||
log.info('{}-{} -> {} configured level {} <= pkg level {}'.format(name, old, version, sens, common))
|
||||
log.info('{} -- {} -> {} configured level {} <= pkg level {}'.format(name, old, new, sens, common))
|
||||
else:
|
||||
log.warning('{}-{} -> {} configured level {} > pkg level {}'.format(name, old, version, sens, common))
|
||||
log.warning('{} -- {} -> {} configured level {} > pkg level {}'.format(name, old, new, sens, common))
|
||||
do_rebuild = False
|
||||
if name.startswith('sys-kernel/'):
|
||||
if do_system_upgrade:
|
||||
do_grub = True
|
||||
else:
|
||||
log.warning(f"Kernel package {name} has an update, but system upgrade is disabled")
|
||||
do_rebuild = False
|
||||
|
||||
if not do_rebuild:
|
||||
log.warning('Some packages require manual attention, did not upgrade')
|
||||
return False
|
||||
|
||||
cmd = [ EMERGE_PATH, '--color', 'n', '-uDNq', '@world' ]
|
||||
ret, out, err = sau.helpers.exec_cmd(cmd, timeout=36000)
|
||||
cmd = [ EMERGE_PATH, '--color', 'n', '-uDNq', '--with-bdeps=y', '@world' ]
|
||||
ret, out, err = sau.helpers.exec_cmd(cmd, timeout=72000)
|
||||
|
||||
if ret != 0 or err:
|
||||
log.warning('emerge returned {}'.format(ret))
|
||||
@ -172,7 +187,7 @@ def pkg_upgrade():
|
||||
log.warning(line)
|
||||
|
||||
cmd = [ EMERGE_PATH, '--color', 'n', '-q', '@preserved-rebuild' ]
|
||||
ret, out, err = sau.helpers.exec_cmd(cmd, timeout=36000)
|
||||
ret, out, err = sau.helpers.exec_cmd(cmd, timeout=72000)
|
||||
|
||||
if ret != 0 or err:
|
||||
log.warning('preserved-rebuild returned {}'.format(ret))
|
||||
@ -200,3 +215,30 @@ def pkg_upgrade():
|
||||
for line in out.splitlines():
|
||||
if line.startswith(' * '):
|
||||
log.warning(line)
|
||||
|
||||
if do_grub and os.path.exists(GRUB_MKCONFIG):
|
||||
keep_kernels = conf.getint('default', 'keep_kernels', fallback=4)
|
||||
if keep_kernels < 1:
|
||||
log.error('keep_kernels cannot be less than one; falling back to default')
|
||||
keep_kernels = 4
|
||||
for root, dirs, files in os.walk('/boot'):
|
||||
for sysfile in ['config', 'initramfs', 'System.map', 'vmlinuz']:
|
||||
match = sorted(
|
||||
[f for f in files if f.startswith(f'{sysfile}-')],
|
||||
reverse=True)
|
||||
for f in match[keep_kernels:]:
|
||||
log.debug(f"Removing old kernel file {f}")
|
||||
os.remove(os.path.join(root, f))
|
||||
break
|
||||
|
||||
cmd = [ GRUB_MKCONFIG, '-o', '/boot/grub/grub.cfg' ]
|
||||
ret, out, err = sau.helpers.exec_cmd(cmd)
|
||||
if ret != 0:
|
||||
log.warning(f"grub-mkconfig returned {ret}:")
|
||||
for line in out.splitlines():
|
||||
log.warning('stdout: {}'.format(line))
|
||||
for line in err.splitlines():
|
||||
log.warning('stderr: {}'.format(line))
|
||||
else:
|
||||
log.info("grub reconfigured")
|
||||
return True
|
||||
|
||||
@ -1,17 +1,21 @@
|
||||
import logging
|
||||
import os
|
||||
import subprocess
|
||||
import time
|
||||
|
||||
import sau
|
||||
|
||||
def exec_cmd(cmd, timeout=900, env = None):
|
||||
my_env = os.environ.copy()
|
||||
if env:
|
||||
my_env.update(env)
|
||||
log = logging.getLogger(sau.LOGNAME)
|
||||
log.debug('Executing "{}"'.format(' '.join(cmd)))
|
||||
proc = subprocess.Popen(
|
||||
cmd,
|
||||
stdout=subprocess.PIPE,
|
||||
stderr=subprocess.PIPE,
|
||||
env = env)
|
||||
env = my_env)
|
||||
out = b""
|
||||
err = b""
|
||||
|
||||
|
||||
@ -1,3 +1,4 @@
|
||||
import os
|
||||
import platform
|
||||
|
||||
import sau.errors
|
||||
@ -9,9 +10,10 @@ def get_platform():
|
||||
if platform.system() == 'FreeBSD':
|
||||
platform_mod = sau.freebsd
|
||||
elif platform.system() == 'Linux':
|
||||
if 'gentoo' in platform.release():
|
||||
if os.path.exists('/usr/bin/emerge'):
|
||||
platform_mod = sau.gentoo
|
||||
|
||||
|
||||
if not platform_mod:
|
||||
raise sau.errors.PlatformNotSupported("System: {} Release: {} Version: {} is not supported".format(
|
||||
platform.system(),
|
||||
|
||||
@ -1,4 +1,3 @@
|
||||
#!/usr/bin/env python3.6
|
||||
import logging
|
||||
import os
|
||||
import re
|
||||
@ -12,6 +11,11 @@ import sau.platforms
|
||||
|
||||
proc_fd_map_re = re.compile(r'^.*(/[^\(]*) \(deleted\)$')
|
||||
|
||||
def _warn(policy, msg):
|
||||
log = logging.getLogger(sau.LOGNAME)
|
||||
if not policy.startswith('silent'):
|
||||
log.warning(msg)
|
||||
|
||||
def _get_deleted_open_files(proc):
|
||||
log = logging.getLogger(sau.LOGNAME)
|
||||
files = set()
|
||||
@ -93,6 +97,8 @@ def restart_services():
|
||||
processes = {}
|
||||
services = {}
|
||||
for proc in service_procs:
|
||||
if not proc:
|
||||
continue
|
||||
try:
|
||||
service_exe = proc.exe()
|
||||
proc_name = proc.name()
|
||||
@ -108,6 +114,7 @@ def restart_services():
|
||||
services[proc_name] = service_name
|
||||
processes[service_name] = [proc]
|
||||
|
||||
recommend_restart = False
|
||||
for service in set([x for x in services.values() if x]):
|
||||
policy = _get_service_restart_policy(service)
|
||||
if policy == 'ignore':
|
||||
@ -116,11 +123,12 @@ def restart_services():
|
||||
elif policy == 'warn':
|
||||
log.warning('Service "{}" has open deleted files and should be restarted'.format(service))
|
||||
continue
|
||||
if not policy.startswith('silent'):
|
||||
log.warning('Restarting service {}'.format(service))
|
||||
elif 'reboot' in policy:
|
||||
_warn(policy, 'Rebooting because {} has opened files'.format(service))
|
||||
recommend_restart = True
|
||||
_warn(policy, 'Restarting service {}'.format(service))
|
||||
platform.restart_service(service)
|
||||
|
||||
recommend_restart = False
|
||||
tested_parents = set()
|
||||
for proc in retest_procs:
|
||||
parent = _get_top_parent(proc)
|
||||
@ -138,10 +146,11 @@ def restart_services():
|
||||
log.warning('could not re-check process {} - failed to identify service'.format(proc))
|
||||
recommend_restart = True
|
||||
continue
|
||||
policy = _get_service_restart_policy(service)
|
||||
|
||||
log.debug('{} is in service {}'.format(proc, service))
|
||||
if parent_name in services and not services[parent_name]:
|
||||
log.warning('{} (parent {}) does not belong to a service and could not be restarted'.format(proc, parent))
|
||||
_warn(policy, '{} (parent {}) does not belong to a service and could not be restarted'.format(proc, parent))
|
||||
recommend_restart = True
|
||||
continue
|
||||
elif parent_name in services:
|
||||
@ -149,7 +158,7 @@ def restart_services():
|
||||
log.debug('service {} has policy {}'.format(service, policy))
|
||||
if policy in ('ignore', 'warn'):
|
||||
continue
|
||||
log.warning('{} (parent {}) still has deleted files open'.format(proc, parent))
|
||||
_warn(policy, '{} (parent {}) still has deleted files open'.format(proc, parent))
|
||||
recommend_restart = True
|
||||
return recommend_restart
|
||||
|
||||
@ -157,13 +166,13 @@ def _get_service_restart_policy(service):
|
||||
log = logging.getLogger(sau.LOGNAME)
|
||||
conf = sau.config
|
||||
policy = conf.get('services', service, fallback=None)
|
||||
if policy and policy.lower() in ('restart', 'warn', 'ignore', 'silent-restart'):
|
||||
if policy and policy.lower() in ('restart', 'warn', 'ignore', 'silent-restart', 'reboot', 'silent-reboot'):
|
||||
return policy.lower()
|
||||
elif policy:
|
||||
log.warning('service policy {} for {} is invalid'.format(policy, service))
|
||||
|
||||
default_policy = conf.get('default', 'default_service_policy', fallback='warn')
|
||||
if default_policy.lower() in ('restart', 'warn', 'ignore', 'silent-restart'):
|
||||
if default_policy.lower() in ('restart', 'warn', 'ignore', 'silent-restart', 'reboot'):
|
||||
return default_policy.lower()
|
||||
log.warning('default service policy {} is invalid'.format(default_policy))
|
||||
return 'warn'
|
||||
|
||||
@ -1,2 +1,7 @@
|
||||
/usr/bin/sau gen_context(system_u:object_r:sau_exec_t,s0)
|
||||
/etc/sau.cfg gen_context(system_u:object_r:sau_config_t,s0)
|
||||
/usr/bin/sau -- gen_context(system_u:object_r:sau_exec_t,s0)
|
||||
|
||||
# on gentoo python executables are executed via python-exec
|
||||
/usr/lib/python-exec/python[0-9\.]*/sau -- gen_context(system_u:object_r:sau_exec_t,s0)
|
||||
|
||||
|
||||
/etc/sau.cfg -- gen_context(system_u:object_r:sau_config_t,s0)
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
policy_module(sau, 0.1)
|
||||
policy_module(sau, 0.9.1)
|
||||
|
||||
gen_require(`
|
||||
type system_cronjob_t;
|
||||
@ -16,6 +16,11 @@ domain_type(sau_t)
|
||||
domain_entry_file(sau_t, sau_exec_t)
|
||||
files_config_file(sau_config_t)
|
||||
read_files_pattern(sau_t, etc_t, sau_config_t);
|
||||
read_files_pattern(sau_t, etc_t, etc_t)
|
||||
files_read_etc_runtime_files(sau_t);
|
||||
search_dirs_pattern(sau_t, etc_t, etc_runtime_t);
|
||||
files_manage_generic_tmp_files(sau_t)
|
||||
files_manage_generic_tmp_dirs(sau_t)
|
||||
|
||||
role sysadm_r types sau_t;
|
||||
role system_r types sau_t;
|
||||
@ -23,14 +28,54 @@ role system_r types sau_t;
|
||||
domain_auto_transition_pattern(sysadm_t, sau_exec_t, sau_t)
|
||||
domain_auto_transition_pattern(system_cronjob_t, sau_exec_t, sau_t)
|
||||
|
||||
# this should be fixed, but I don't know enough selinux magic to restrict this
|
||||
# while still allowing it to inspect all open files for all processes
|
||||
unconfined_domain_noaudit(sau_t)
|
||||
domain_use_interactive_fds(sau_t)
|
||||
userdom_use_user_ptys(sau_t)
|
||||
userdom_use_all_users_fds(sau_t)
|
||||
|
||||
# required for python
|
||||
corecmd_mmap_bin_files(sau_t)
|
||||
mmap_exec_files_pattern(sau_t, tmp_t, tmp_t);
|
||||
|
||||
|
||||
read_files_pattern(sau_t, usr_t, usr_t)
|
||||
miscfiles_read_localization(sau_t)
|
||||
logging_send_syslog_msg(sau_t)
|
||||
allow sau_t self:fifo_file { read write };
|
||||
corecmd_exec_shell(sau_t)
|
||||
corecmd_exec_bin(sau_t)
|
||||
|
||||
# list processes
|
||||
kernel_read_system_state(sau_t)
|
||||
domain_read_all_domains_state(sau_t)
|
||||
allow sau_t self:capability sys_ptrace;
|
||||
|
||||
# I've tried it all; I don't know how to give sau permission to
|
||||
# run init-scripts :(
|
||||
init_all_labeled_script_domtrans(sau_t)
|
||||
init_domtrans_script(sau_t)
|
||||
init_read_utmp(sau_t)
|
||||
init_signull_script(sau_t)
|
||||
#init_startstop_all_script_services(sau_t)
|
||||
#init_use_script_ptys(sau_t)
|
||||
#init_domtrans_labeled_script(sau_t)
|
||||
#init_manage_script_service(sau_t)
|
||||
#init_read_script_status_files(sau_t)
|
||||
#allow sau_t initrc_state_t:lnk_file { getattr read };
|
||||
#allow sau_t initrc_state_t:dir { search read };
|
||||
#init_admin(sau_t)
|
||||
# FIXME: shouldn't have to be unconfined...
|
||||
unconfined_domain(sau_t)
|
||||
|
||||
|
||||
# allow during troubleshooting...
|
||||
#files_getattr_all_dirs(sau_t)
|
||||
#files_getattr_all_files(sau_t)
|
||||
|
||||
# Gentoo specific
|
||||
portage_read_config(sau_t)
|
||||
portage_read_ebuild(sau_t)
|
||||
portage_read_db(sau_t)
|
||||
portage_read_cache(sau_t)
|
||||
portage_domtrans(sau_t)
|
||||
|
||||
|
||||
# postfix
|
||||
postfix_admin(sau_t, system_r)
|
||||
|
||||
|
||||
4
setup.py
4
setup.py
@ -1,11 +1,11 @@
|
||||
#!/usr/bin/env python3.6
|
||||
#!/usr/bin/env python3.7
|
||||
from os import environ
|
||||
|
||||
from setuptools import setup, find_packages
|
||||
|
||||
setup(
|
||||
name='sau',
|
||||
version='0.9.0',
|
||||
version='0.9.4',
|
||||
description='Tool for auto-updating OS and packages',
|
||||
author='Feffe',
|
||||
author_email='feffe@fulh.ax',
|
||||
|
||||
Reference in New Issue
Block a user