[selinux] Use semanage and only run if selinux is not disabled

Updates the selinux plugin to only run the builk of selinux commands if selinux is not in a disabled state, as otherwise these commands do not produce useful output. The output of sestatus is still collected even if selinux is disabled so analysts still have a reference point for that information. Additionally, change to using semanage to collect the bulk of the data given that that is the recommended practice. Collection of semanage list output is now always collected, instead of being enabled by the 'list' option. Resolves: #1209 Signed-off-by: Jake Hunsaker <jhunsake@redhat.com> Signed-off-by: Bryn M. Reeves <bmr@redhat.com>
author: Jake Hunsaker <jhunsake@redhat.com> 2018-01-12 10:08:54 -0500
committer: Bryn M. Reeves <bmr@redhat.com> 2018-04-23 15:58:37 +0100
commit: f72aaa6d190e9b6c941898c17faae883b414387b (patch)
tree: 7140070f53690b5e7953ea26fe7d51ace58aea99
parent: 26c45f41c527f1193aa4a12814d7d07f5505fe07 (diff)
download: sos-f72aaa6d190e9b6c941898c17faae883b414387b.tar.gz
1 files changed, 30 insertions, 18 deletions
diff --git a/sos/plugins/selinux.py b/sos/plugins/selinux.py
index 22835bb8..f9140699 100644
--- a/sos/plugins/selinux.py
+++ b/sos/plugins/selinux.py
@@ -23,30 +23,42 @@ class SELinux(Plugin, RedHatPlugin):
     profiles = ('system', 'security', 'openshift')
 
     option_list = [("fixfiles", 'Print incorrect file context labels',
-                    'slow', False),
-                   ("list", 'List objects and their context', 'slow', False)]
+                    'slow', False)]
     packages = ('libselinux',)
 
     def setup(self):
-        self.add_copy_spec("/etc/selinux")
-        self.add_cmd_output([
-            "sestatus -b",
-            "semodule -l",
-            "selinuxdefcon root",
-            "selinuxconlist root",
-            "selinuxexeccon /bin/passwd",
-            "semanage -o -",
-            "ps axuZww"
+        self.add_copy_spec([
+            '/etc/sestatus.conf',
+            '/etc/selinux'
         ])
-        if self.get_option('fixfiles'):
-            self.add_cmd_output("restorecon -Rvn /", stderr=False)
-        if self.get_option('list'):
+        self.add_cmd_output('sestatus')
+
+        state = self.get_command_output('getenforce')['output']
+        if state is not 'Disabled':
             self.add_cmd_output([
-                "semanage fcontext -l",
-                "semanage user -l",
-                "semanage login -l",
-                "semanage port -l"
+                'ps auxZww',
+                'sestatus -v',
+                'sestatus -b',
+                'selinuxdefcon root',
+                'selinuxconlist root',
+                'selinuxexeccon /bin/passwd',
+                'semanage -o'  # deprecated, may disappear at some point
             ])
 
+            subcmds = [
+                'fcontext',
+                'user',
+                'port',
+                'login',
+                'node',
+                'interface',
+                'module'
+            ]
+
+            for subcmd in subcmds:
+                self.add_cmd_output("semanage %s -l" % subcmd)
+
+            if self.get_option('fixfiles'):
+                self.add_cmd_output("restorecon -Rvn /", stderr=False)
 
 # vim: set et ts=4 sw=4 :
author	Jake Hunsaker <jhunsake@redhat.com>	2018-01-12 10:08:54 -0500
committer	Bryn M. Reeves <bmr@redhat.com>	2018-04-23 15:58:37 +0100
commit	f72aaa6d190e9b6c941898c17faae883b414387b (patch)
tree	7140070f53690b5e7953ea26fe7d51ace58aea99
parent	26c45f41c527f1193aa4a12814d7d07f5505fe07 (diff)
download	sos-f72aaa6d190e9b6c941898c17faae883b414387b.tar.gz